Reverse DNS lookup

Answered Question
Aug 14th, 2008
User Badges:

General question for anyone and everyone:


Why would a website perform a forward and reverse lookup for the on the requesting client's IP address before allowing that client to access the website itself?

Correct Answer by mhellman about 8 years 9 months ago

that's really interesting. given the other controls, the DNS games seem a bit superfluous. I suppose they've documented this as now having 2-factor auth;-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
robertson.michael Fri, 08/15/2008 - 17:50
User Badges:
  • Silver, 250 points or more

Hi Yu-Cheng,


One reason is that a web server can use this information for access control.


Hope that helps.


-Mike

mhellman Mon, 08/18/2008 - 14:20
User Badges:
  • Blue, 1500 points or more

Do you mean a reverse lookup on the IP and then a forward lookup on the resulting hostname? We could probably provide more information if you have us more. What site/app? In certain [niche] situations (i.e. web apps that are not necessarily designed for broad public Internet use), it might be useful as a security control.


I am struggling to come up with a strong use case though. I think the main requirement for this to be [marginally] useful is DNS control over the domain you're wanting to allow access from. Let's say you have an arrangement with an ISP to provide "home office" Internet access to employees across the country/globe. You don't want to concern yourself with the network addressing used by the ISP. You're requirement could be simply that the ISP setup all all home office IP addresses have matching PTR and A records, and that all A records point to the same particular domain. So, when you get a connection you do a PTR lookup. The resulting hostname must be part of said particular domain and then you do an A record lookup on that hostname. The IP address must match.


seems like a lot of work for not a lot of gain though and it certainly is not substitute for real authentication/authorization.

yuchenglai Tue, 08/19/2008 - 17:19
User Badges:

It is a lot of and it seems that the administrators of this site is using this as a substitute for real authentication/authorization. The site is indeed designed for only the employees and/or members of the organization via the internet. The only way users can access the site is if the IP addresses of their machines have both an A and a PTR record that point back to those same IP addresses. This is marginally beneficial in a security standpoint, as those IP addresses can be easily spoofed at which point the A and PTR records will server no use from a security standpoint

mhellman Wed, 08/20/2008 - 05:09
User Badges:
  • Blue, 1500 points or more

Unless you are "in the path", I believe that IP address spoofing for the purpose of hijacking a TCP session is non-trivial on a modern OS with good random sequencing. Throw TLS into the mix and session hijacking is even harder.


Depending on the application (e.g. low risk), it might be a risk appropriate control.

yuchenglai Wed, 08/20/2008 - 05:15
User Badges:

Agreed. Also the site requires the client machine to accept a certificate and then uses https after it verifies that the client IP addresses have corresponding A and PTR records. After which the users are required to use username and passwords.

Correct Answer
mhellman Wed, 08/20/2008 - 05:21
User Badges:
  • Blue, 1500 points or more

that's really interesting. given the other controls, the DNS games seem a bit superfluous. I suppose they've documented this as now having 2-factor auth;-)

Actions

This Discussion