nslookup from WinNT machine

Kevin Darcy kcd at daimlerchrysler.com
Sat Jun 2 02:28:06 UTC 2001 

pelln at icke-reklam.ipsec.nu.invalid wrote:

> Joseph S D Yao <jsdy at cospo.osis.gov> wrote:
>
> > On Tue, May 29, 2001 at 05:14:53PM -0400, Kevin Darcy wrote:
> >> 2) Newbies seem to always have problems comprehending the weirdo "reverse the
> >> octets and append in-addr.arpa" syntax of reverse records, let alone
> >> classless delegation a la RFC 2317.
>
> > This seems to be the most valid problem that has been raised.  The
> > other problem raised was that people misuse them - but people are very
> > resourceful, and can misuse ANYTHING.
>
> > I think reverse lookups are helpful, albeit not sufficiently reliable
> > to build a complete security infrastructure on.  ;-)
>
> > In a perfect world, we could all trust each other with reason.  In a
> > slightly less perfect world, we could all trust each other because we
> > were all using DNSsec.  I don't remember reading anywhere that we had
> > reached even that level of perfection.  ;-)
>
> One of the points using PTR is that they create oen way of reaching
> "the net admin" at the site that one needs to contact.
>
> If one level is missing one will get the SOA of the ISP, which usually
> is helpful when dealing with intrusion attempts.
>
> If the PTR exists one will get a clue about the intruder at once.
>
> The lack of PTR is especially obvious when a storm of hackers start
> working from a region where PTR is absent from APNIC and downwards, then
> there is very little possibilyties to reach any admin. ( and APNIC has no
> whois only a webserver using funny characters :-(

But netblock WHOIS, when implemented properly, is much better for this kind of
thing. A reverse lookup will just get you the FQDN (and therefore by implication
the registered domain) of *one* of the names which happens to point to the address.
There could be several different names, in different domains, all pointing to that
same address, but the reverse lookup will typically only get you one of them. If
this is a hosting and/or colocation situation, the administrator of the forward
domain may have very little to do with the organization which actually controls the
netblock. Netblock WHOIS, on the other hand, tells you the netblock containing the
address, and the contact information for that netblock. If some RIRs don't
implement netblock WHOIS very well, then maybe the solution is to push them to do a
better job. Overall, it seems a more productive enterprise to get a handful of RIRs
to improve their netblock WHOIS than to try to get many thousands of DNS admins at
various levels of competence to do reverse DNS properly.


- Kevin

More information about the bind-users mailing list