[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Reverse DNS RFCs and Recommendations
On Tue, Nov 5, 2013 at 6:00 PM, Masataka Ohta <
mohta at necom830.hpcl.titech.ac.jp> wrote:
> Sander Steffann wrote:
> >>...
>
> You're linking things together that are completely orthogonal...
>
> You misunderstand very basic points on why forward and reverse
> DNS checking is useful.
>
Just to note... the main reason checking reverse DNS stays useful: is
because that it is so hard to change in many cases.
Specifically: if a server at some IP address X is under the control of a
spammer; and rDNS is not setup, or rDNS points to some
dynamic-looking hostname,
It will be difficult or not possible for the spammer to modify the RDNS of
the IP address, in many cases; the RDNS is most often managed by the ISP.
Or it may be in a DNS infrastructure running on separate networks, with
separate access credentials.
If RDNS were easy to change; e.g. if you just needed to guess a password
to the server, and get signing key information from a DHCP transaction;
the spammer would just change it.
Delegating "Secure RDNS update" with prefix delegation may in fact,
make RDNS information so easy to publish, that the spammers of the
world can do it, after compromising a router or host on the victim
network, and just "Registering the better hostname in the DNS".
The update process may be "secure", but there are new attack vectors.
The value of even looking at RDNS, let alone worrying about
Forward+Reverse DNS agreement/confirmation may not translate well to
IPv6.
--
-JH