First off, there are at least two ways to perform forward+reverse checking. I'm not sure you can see these as separate.
1) check that forward and reverse entries match, but don't check what the name actually is (this could be phrased as a "consistency check").
2) check that foeward and reverse entries match, and the name is included in a list of names.
I agree that 1) appears to serve no security purpose. However, I think 2) is still useful as an additional security mechanism. Obviously, property 2) is not needed for those hosts which won't be used in this kind of manner, so your argument about www.arin.net does not hold for 2).
Inline..
On Tue, 22 Feb 2005, Dean Anderson wrote:
For example, lots of people have tcp wrappers configuration in their SSHD, requiring that connection attempts come from host.example.com, .example.net or whatever (forward+reverse check). This is especially useful when the server is at example.net, but has a couple of pinholes to the world.
In addition to that, there is a public key security or password authentication.
The illogic of this can't be ignored.
If public key or password authentication are "in addition" to some security, then we can consider what security is left without 'public key or password'. So lets do that: Well, this is exactly the bsd r-command EXPLOIT. No security remains.
I'll assume you meant method 2) above.
I think this is an incorrect consideration. If reverse+forward matching to a specific hostname was done _after_ password or public key authentication, this might be closer (but not quite) the truth.
However, applying a reverse+forward matching to a specific, configured hostname as the _first_ measure of check restricts the attackers to those which can control the particilar reverse and forward trees, or spoof the DNS in a particular way.
This is certainly very useful. It'll prevent random script kiddies and port scanners (for example) from attacking a particular service.
It may not be 100% protection against the most determined crackers, but that's what the _additional_ protections are for.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
