[dns-operations] I must have fallen asleep Was: You live in a dump, Quoyle!
Fred Morris
m3047 at m3047.net
Mon Feb 21 17:15:35 UTC 2022
PTR records are a big elephant and they tell us a lot about what happens
when organizational realities meet aspiration: what this all comes down
to is finding levers of control over service access.
Mark Delaney has been working on what I will call "service control",
wherein some own device (a "client") contacts a service and said service
is trying to authenticate the client based on the indicators at its
disposal, one of which is the client's address and a PTR record is one
such artifact (along with TXT records, client SSL certs, other
authentication tokens, etc.). The records Mark is creating are intended
for consumption outside of the own network's sphere of control: they're
generated/defined on the own network and queried for elsewhere.
My area of concern is the own network, primarily "access control". It
implicitly starts with a DNS lookup because that is how the own network
client enumerates and identifies the services it wishes to contact. The
client is seldom utilizing artifacts at this level to authenticate the
service; it is of little concern to the client, however it is of concern
to me studying the overall integrity of the own network. The records I
am creating are intended for consumption within the network's sphere of
control: they're generated based on data returned from elsewhere for
queries originating on the own network.
While I wasn't paying attention, the pace of consolidation has only
increased. At this point in time, if I do an organic reverse (PTR)
lookup for an address observed from my own / SOHO network the odds are
better than even that the returned value will resolve to a name under
amazonaws.com if it resolves at all; about 70% of addresses (Derrida
"don't") resolve to one of the top five infrastructure players (taking
those unresolvable queries into account, Cloudflare and Fastly aren't
big on PTR records).
The positive news in this state of affairs is that the overwhelming
majority of network connections (still) start with a DNS lookup and
synthetic PTR records can be generated. As a defender you might not like
what you see, but at least you can observe when you're trying to make
rational decisions regarding what's on fire or might catch fire.
Here's a writeup:
https://github.com/m3047/rear_view_rpz/blob/main/utilities/PTR_Recs_Useless.md
The actual "shape of things" is obviously going to depend on what the
network is utilized for. Is anybody else looking at this?
Thanks in advance...
--
Fred Morris
More information about the dns-operations
mailing list