[dns-operations] I must have fallen asleep Was: You live in a dump, Quoyle!

Eric Germann ekgermann at semperen.com
Mon Feb 21 18:35:43 UTC 2022 

Just a quick note. For both IPv4 and IPv6 you can define specific reverse names for an IP address in AWS. It started specifically for those running mail servers. 

Ekg 

> On Feb 21, 2022, at 12:21, Fred Morris <m3047 at m3047.net> wrote:
> 
> PTR records are a big elephant and they tell us a lot about what happens
> when organizational realities meet aspiration: what this all comes down
> to is finding levers of control over service access.
> 
> Mark Delaney has been working on what I will call "service control",
> wherein some own device (a "client") contacts a service and said service
> is trying to authenticate the client based on the indicators at its
> disposal, one of which is the client's address and a PTR record is one
> such artifact (along with TXT records, client SSL certs, other
> authentication tokens, etc.). The records Mark is creating are intended
> for consumption outside of the own network's sphere of control: they're
> generated/defined on the own network and queried for elsewhere.
> 
> My area of concern is the own network, primarily "access control". It
> implicitly starts with a DNS lookup because that is how the own network
> client enumerates and identifies the services it wishes to contact. The
> client is seldom utilizing artifacts at this level to authenticate the
> service; it is of little concern to the client, however it is of concern
> to me studying the overall integrity of the own network. The records I
> am creating are intended for consumption within the network's sphere of
> control: they're generated based on data returned from elsewhere for
> queries originating on the own network.
> 
> 
> While I wasn't paying attention, the pace of consolidation has only
> increased. At this point in time, if I do an organic reverse (PTR)
> lookup for an address observed from my own / SOHO network the odds are
> better than even that the returned value will resolve to a name under
> amazonaws.com if it resolves at all; about 70% of addresses (Derrida
> "don't") resolve to one of the top five infrastructure players (taking
> those unresolvable queries into account, Cloudflare and Fastly aren't
> big on PTR records).
> 
> The positive news in this state of affairs is that the overwhelming
> majority of network connections (still) start with a DNS lookup and
> synthetic PTR records can be generated. As a defender you might not like
> what you see, but at least you can observe when you're trying to make
> rational decisions regarding what's on fire or might catch fire.
> 
> Here's a writeup:
> https://github.com/m3047/rear_view_rpz/blob/main/utilities/PTR_Recs_Useless.md
> 
> The actual "shape of things" is obviously going to depend on what the
> network is utilized for. Is anybody else looking at this?
> 
> 
> Thanks in advance...
> 
> --
> 
> Fred Morris
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list