08-14-2008 04:48 AM - edited 03-09-2019 09:16 PM
General question for anyone and everyone:
Why would a website perform a forward and reverse lookup for the on the requesting client's IP address before allowing that client to access the website itself?
Solved! Go to Solution.
08-20-2008 05:21 AM
that's really interesting. given the other controls, the DNS games seem a bit superfluous. I suppose they've documented this as now having 2-factor auth;-)
08-15-2008 05:50 PM
Hi Yu-Cheng,
One reason is that a web server can use this information for access control.
Hope that helps.
-Mike
08-16-2008 12:49 PM
It is considered a 'security' measure by some. To verify the IP >> DNS and DNS >> IP mapping. However not everybody agrees:
http://homepages.tesco.net/J.deBoynePollard/FGA/dns-avoid-double-reverse.html
Its especially overkill for web servers, this is done by SMTP servers tough to thwart spam (and makes sense also).
Regards
Farrukh
08-18-2008 02:20 PM
Do you mean a reverse lookup on the IP and then a forward lookup on the resulting hostname? We could probably provide more information if you have us more. What site/app? In certain [niche] situations (i.e. web apps that are not necessarily designed for broad public Internet use), it might be useful as a security control.
I am struggling to come up with a strong use case though. I think the main requirement for this to be [marginally] useful is DNS control over the domain you're wanting to allow access from. Let's say you have an arrangement with an ISP to provide "home office" Internet access to employees across the country/globe. You don't want to concern yourself with the network addressing used by the ISP. You're requirement could be simply that the ISP setup all all home office IP addresses have matching PTR and A records, and that all A records point to the same particular domain. So, when you get a connection you do a PTR lookup. The resulting hostname must be part of said particular domain and then you do an A record lookup on that hostname. The IP address must match.
seems like a lot of work for not a lot of gain though and it certainly is not substitute for real authentication/authorization.
08-19-2008 05:19 PM
It is a lot of and it seems that the administrators of this site is using this as a substitute for real authentication/authorization. The site is indeed designed for only the employees and/or members of the organization via the internet. The only way users can access the site is if the IP addresses of their machines have both an A and a PTR record that point back to those same IP addresses. This is marginally beneficial in a security standpoint, as those IP addresses can be easily spoofed at which point the A and PTR records will server no use from a security standpoint
08-20-2008 05:09 AM
Unless you are "in the path", I believe that IP address spoofing for the purpose of hijacking a TCP session is non-trivial on a modern OS with good random sequencing. Throw TLS into the mix and session hijacking is even harder.
Depending on the application (e.g. low risk), it might be a risk appropriate control.
08-20-2008 05:15 AM
Agreed. Also the site requires the client machine to accept a certificate and then uses https after it verifies that the client IP addresses have corresponding A and PTR records. After which the users are required to use username and passwords.
08-20-2008 05:21 AM
that's really interesting. given the other controls, the DNS games seem a bit superfluous. I suppose they've documented this as now having 2-factor auth;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide