cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5710
Views
0
Helpful
7
Replies

Reverse DNS lookup

yuchenglai
Level 1
Level 1

General question for anyone and everyone:

Why would a website perform a forward and reverse lookup for the on the requesting client's IP address before allowing that client to access the website itself?

1 Accepted Solution

Accepted Solutions

that's really interesting. given the other controls, the DNS games seem a bit superfluous. I suppose they've documented this as now having 2-factor auth;-)

View solution in original post

7 Replies 7

Hi Yu-Cheng,

One reason is that a web server can use this information for access control.

Hope that helps.

-Mike

Farrukh Haroon
VIP Alumni
VIP Alumni

It is considered a 'security' measure by some. To verify the IP >> DNS and DNS >> IP mapping. However not everybody agrees:

http://homepages.tesco.net/J.deBoynePollard/FGA/dns-avoid-double-reverse.html

Its especially overkill for web servers, this is done by SMTP servers tough to thwart spam (and makes sense also).

Regards

Farrukh

mhellman
Level 7
Level 7

Do you mean a reverse lookup on the IP and then a forward lookup on the resulting hostname? We could probably provide more information if you have us more. What site/app? In certain [niche] situations (i.e. web apps that are not necessarily designed for broad public Internet use), it might be useful as a security control.

I am struggling to come up with a strong use case though. I think the main requirement for this to be [marginally] useful is DNS control over the domain you're wanting to allow access from. Let's say you have an arrangement with an ISP to provide "home office" Internet access to employees across the country/globe. You don't want to concern yourself with the network addressing used by the ISP. You're requirement could be simply that the ISP setup all all home office IP addresses have matching PTR and A records, and that all A records point to the same particular domain. So, when you get a connection you do a PTR lookup. The resulting hostname must be part of said particular domain and then you do an A record lookup on that hostname. The IP address must match.

seems like a lot of work for not a lot of gain though and it certainly is not substitute for real authentication/authorization.

It is a lot of and it seems that the administrators of this site is using this as a substitute for real authentication/authorization. The site is indeed designed for only the employees and/or members of the organization via the internet. The only way users can access the site is if the IP addresses of their machines have both an A and a PTR record that point back to those same IP addresses. This is marginally beneficial in a security standpoint, as those IP addresses can be easily spoofed at which point the A and PTR records will server no use from a security standpoint

Unless you are "in the path", I believe that IP address spoofing for the purpose of hijacking a TCP session is non-trivial on a modern OS with good random sequencing. Throw TLS into the mix and session hijacking is even harder.

Depending on the application (e.g. low risk), it might be a risk appropriate control.

Agreed. Also the site requires the client machine to accept a certificate and then uses https after it verifies that the client IP addresses have corresponding A and PTR records. After which the users are required to use username and passwords.

that's really interesting. given the other controls, the DNS games seem a bit superfluous. I suppose they've documented this as now having 2-factor auth;-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: