Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)]

From: Matt Piechota (piechota@argolis.org)
Date: 11/13/02 

Date: Tue, 12 Nov 2002 19:10:32 -0500 (EST)
From: Matt Piechota <piechota@argolis.org>
To: Michael Carew <MichaelCarew@bytecraftsystems.com>

On Wed, 13 Nov 2002, Michael Carew wrote:

> At least limiting it prevents someone setting up an authoritative server,
> then making a query to that domain off your name server.
>
> They are then reliant on a legitimate client querying the server with the
> malicious content, rather than them doing it themselves.
>
> Reducing the changes substantially I would imagine.

Not as much as you'd think. If you use tcpwrappers and something like
*.foo.edu, it'll do a reverse lookup to find out if a.b.c.d matches
*.foo.edu. I think other things do at least reverse lookups as well (ie,
so 'w' show what host I'm connecting from vs what IP).

It's a little more difficult to have a reverse DNS domain, but not much.
Besides, I think there's a few services that do a reverse then a forward
to see if the names match. (I think I remember reading that) 

-- 
Matt Piechota
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Getting error 5.7.1 on new ISP
    ... I called one of the company's ISPs and told them the issue. ... if they could do a reverse lookup of my IP and they said that they got ... server spends less time with DNS lookups and connections. ... want me to setup Exchange to authenticate with their SMTP smart host ...
    (microsoft.public.exchange.admin)
  • Re: Getting error 5.7.1 on new ISP
    ... I would prefer to use a smart host for just this very reason. ... server spends less time with DNS lookups and connections. ... want me to setup Exchange to authenticate with their SMTP smart host ... though that has been setup for 5 days and I can reverse lookup ...
    (microsoft.public.exchange.admin)
  • Re: Deploy Design Question
    ... It does not mean that it needs a reverse lookup zone or PTR it just wants to ... make a secure connection to the server so it can register its addresses. ... to the DNS server it is on before other DNS servers will know it exists. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS gives UnKnown to nslookup Default Server results
    ... Okay, I'm sort-of blind, but learning quick, when it comes to DNS service ... Is it normal to have only this much under the Reverse Lookup Zones? ... >> Default Server: UnKnown ...
    (microsoft.public.windows.server.dns)
  • Re: Tickets Kerberos
    ... A reverse lookup is not required for proper AD function. ... However, without a reverse lookup zone and PTRs, you may see 40960 and 40961 events due to Win2k3 and WinXP trying to make a secure PTR registration at the External DNS that is Authoritative over the reverse lookup of the IP on the machine's local interface. ... If it's a private address it will say cannot establish a secured connection with the server prisoner.iana.org. ... By creating a Reverse lookup zone you solve that error, also make sure that you have all clients NIC preferred DNS server pointing to their local DNS server. ...
    (microsoft.public.windows.server.active_directory)