Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Reverse DNS lookup

General question for anyone and everyone:

Why would a website perform a forward and reverse lookup for the on the requesting client's IP address before allowing that client to access the website itself?

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Reverse DNS lookup

that's really interesting. given the other controls, the DNS games seem a bit superfluous. I suppose they've documented this as now having 2-factor auth;-)

7 REPLIES

Re: Reverse DNS lookup

Hi Yu-Cheng,

One reason is that a web server can use this information for access control.

Hope that helps.

-Mike

Re: Reverse DNS lookup

It is considered a 'security' measure by some. To verify the IP >> DNS and DNS >> IP mapping. However not everybody agrees:

http://homepages.tesco.net/J.deBoynePollard/FGA/dns-avoid-double-reverse.html

Its especially overkill for web servers, this is done by SMTP servers tough to thwart spam (and makes sense also).

Regards

Farrukh

Gold

Re: Reverse DNS lookup

Do you mean a reverse lookup on the IP and then a forward lookup on the resulting hostname? We could probably provide more information if you have us more. What site/app? In certain [niche] situations (i.e. web apps that are not necessarily designed for broad public Internet use), it might be useful as a security control.

I am struggling to come up with a strong use case though. I think the main requirement for this to be [marginally] useful is DNS control over the domain you're wanting to allow access from. Let's say you have an arrangement with an ISP to provide "home office" Internet access to employees across the country/globe. You don't want to concern yourself with the network addressing used by the ISP. You're requirement could be simply that the ISP setup all all home office IP addresses have matching PTR and A records, and that all A records point to the same particular domain. So, when you get a connection you do a PTR lookup. The resulting hostname must be part of said particular domain and then you do an A record lookup on that hostname. The IP address must match.

seems like a lot of work for not a lot of gain though and it certainly is not substitute for real authentication/authorization.

New Member

Re: Reverse DNS lookup

It is a lot of and it seems that the administrators of this site is using this as a substitute for real authentication/authorization. The site is indeed designed for only the employees and/or members of the organization via the internet. The only way users can access the site is if the IP addresses of their machines have both an A and a PTR record that point back to those same IP addresses. This is marginally beneficial in a security standpoint, as those IP addresses can be easily spoofed at which point the A and PTR records will server no use from a security standpoint

Gold

Re: Reverse DNS lookup

Unless you are "in the path", I believe that IP address spoofing for the purpose of hijacking a TCP session is non-trivial on a modern OS with good random sequencing. Throw TLS into the mix and session hijacking is even harder.

Depending on the application (e.g. low risk), it might be a risk appropriate control.

New Member

Re: Reverse DNS lookup

Agreed. Also the site requires the client machine to accept a certificate and then uses https after it verifies that the client IP addresses have corresponding A and PTR records. After which the users are required to use username and passwords.

Gold

Re: Reverse DNS lookup

that's really interesting. given the other controls, the DNS games seem a bit superfluous. I suppose they've documented this as now having 2-factor auth;-)

435
Views
0
Helpful
7
Replies
CreatePlease to create content