Re: Has anyone implemented "double forward DNS"?



On Sat, Aug 30, 2008 at 01:05:51AM +0100, Duncan Simpson wrote:
[...]
Of course if the bad guy also controls the client's information
about the reverse zone it still loses.

Under what circumstances do you expect the attacker to be able to
spoof/poison responses for one query but not the other?

The major problem I can see is that there might that hosts in
ISP's dynamically allocated address pools might all fail double
forward DNS checks.
[...]

How about a the very common situation of name-based virtual hosting?
Do you propose a round-robin of multiple pointer resource records
for a single IP address, one for each domain hosted at that same
address? That could easily exceed a resolver's maximum response
length...
--
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@xxxxxxxxxxx); IRC(fungi@xxxxxxxxxxxxxxx#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@xxxxxxxxxxx);
MUD(fungi@xxxxxxxxxxxxxxxxxx:6669); WWW(http://fungi.yuggoth.org/); }