[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 and Dynamic DNS

To: Terry Lambert <terry@whistle.com>
Subject: Re: IPv6 and Dynamic DNS
From: "John S. Quarterman" <jsq@mids.org>
Date: Wed, 04 Aug 1999 14:10:47 -0500
cc: "John S. Quarterman" <jsq@mids.org>
cc: Dean Anderson <dean@av8.com>, "Cutler, James R" <james.cutler@eds.com>, "'Robert Elz'" <kre@MUNNARI.OZ.AU>, Jim Bound <bound@ZK3.DEC.COM>, ipng@sunroof.eng.sun.com, namedroppers@internic.net

>Dean Anderson wrote:
>> 
>> Having reverse dns mappings is no security at all.  Both are
>> easily spoofed.  Having a valid reverse map does not make
>> the connection any more or less trustworthy.  Only really
>> stupid admins make trust decisions based on DNS information.
>
>How do you spoof a forward mapping, without exploiting
>some known (and presumably, fixed) bug?
>
>
>I trust . to not lie about the delegation of .com.; I trust
>.com. to not lie about the delegation of .whistle.com.; I
>trust .whistle.com. to not lie about host names in its zone
>of control, or its delegations, and so on.

You break into the machine that is serving whistle.com
and you change its DNS records.  Doubtless others have
also been attacked by this method.

Checking forward against reverse DNS is still better than nothing.
A cracker must at least crack both servers to fake that, or use
some other, perhaps more difficult, method.

Thanks,
John
-- 
John S. Quarterman <jsq@mids.org>
President, Matrix Information and Directory Services (MIDS)
mids@mids.org, http://www.mids.org, +1-512-451-7602, fax: +1-512-452-0127
1106 Clayton Lane, Suite 501W, Austin, TX 78723, U.S.A.
See our new Matrix IQ: http://www.miq.net/

Prev by Date: FW: IPv6 and Dynamic DNS
Next by Date: Re: IPv6 and Dynamic DNS
Prev by thread: FW: IPv6 and Dynamic DNS
Next by thread: Re: IPv6 and Dynamic DNS
Index(es):
- Date
- Thread