|
Bugtraq
mailing list archives
Re: Has anyone implemented "double forward DNS"?
From: The Fungi <fungi () yuggoth org>
Date: Wed, 3 Sep 2008 03:42:32 +0000
On Sat, Aug 30, 2008 at 01:05:51AM +0100, Duncan Simpson wrote:
[...]
Of course if the bad guy also controls the client's information
about the reverse zone it still loses.
Under what circumstances do you expect the attacker to be able to
spoof/poison responses for one query but not the other?
The major problem I can see is that there might that hosts in
ISP's dynamically allocated address pools might all fail double
forward DNS checks.
[...]
How about a the very common situation of name-based virtual hosting?
Do you propose a round-robin of multiple pointer resource records
for a single IP address, one for each domain hosted at that same
address? That could easily exceed a resolver's maximum response
length...
--
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi () yuggoth org); IRC(fungi () irc yuggoth org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi () yuggoth org);
MUD(fungi () katarsis mudpy org:6669); WWW(http://fungi.yuggoth.org/); }
 By Date 
By Thread
Current thread:
| 
Intro
