mail filtering based on reverse DNS

Erik Kline ek at google.com
Thu Aug 11 11:32:40 CEST 2011


On 11 August 2011 18:18, Sander Steffann <sander at steffann.nl> wrote:
> Hi,
>
>> Certainly I and others have thought of writing our own auto-PTR
>> response generator for delegated reverse zones.  I see now that the
>> success of a PTR-verification scheme depends on ISPs *not* doing this
>> for every J. Random Customer.
>
> The more I think about it, the more I feel that auto-generating PTR records is not a wise thing to do. This is one example, filling the caches of DNS resolvers is another. Would it be a good idea to write a BCP on this subject?

Are you thinking of a recursive resolver DOS attack involving doing
PTR lookup through an auto-generated reverse space?  I.e. the
recursive resolver would overrun it's cache at some point?

I could see this happening, but it seems the right thing to do is to
defend against it by implementing LRU eviction policies,
rate-limiting, and other common mitigation techniques.  It seems such
an attack could be undertaken even today.  (besides, what about the
negative caching for PTRs that aren't there?)

Hmmm....



More information about the ipv6-ops mailing list