"double reverse lookup" is not a security measure.

You've come to this page because you've said something similar to the following:

Servers can perform a "double-reverse" DNS lookup on the IP addresses of service clients that connect to them via TCP, for security. It is a requirement of the DNS that an address→name→address mapping yield the original IP address. Where this isn't the case, the published DNS data are wrong and the DNS administrator is incompetent. Double-reverse DNS lookup verifies that a client is known.

This is the Frequently Given Answer to such statements.

"Double reverse" lookup (mapping the IP address to a set of domain names, mapping those domain names to a set of IP addresses, and then comparing the result with the starting point) is not a security measure. It is a half-baked idea from the Half-Baked Ideas Brigade.

If you have a TCP-based service that is performing such address→name→address mappings in the name of security, disable it. It's wrong, and it will cause you grief.

The justification for this half-baked idea is simply false. The DNS doesn't operate in the manner claimed, such DNS data are perfectly legitimate, and it is the users of the half-baked idea, not the DNS administrators, that are at fault.

This half-baked idea doesn't allow one to prove the identities of service clients. The only thing that it actually proves is that those who use it don't know how the DNS operates.

This measure doesn't increase security at all.

The notion that security is somehow tighter with this check in place, is simply a false one. An attacker who is able to create a TCP connection to one's TCP-based service with a forged client IP address has, of necessity, more than enough access to foil this Half-Baked Idea.

An attacker who can create a TCP connection to a service with a forged client IP address either

Conversely, security based upon client IP addresses is enough to thwart an attacker who is incapable of forging DNS responses, because such an attacker will not have the capability for successfully creating a TCP connection with a forged client IP address, either.

Even were it not half-baked and conceptually flawed, this measure would be incredibly inefficient and a good weapon to hand to the malicious.

Setting aside the major conceptual flaws of the half-baked idea for the moment:

To perform the address→name→address mapping in the manner described by the Half-Baked Ideas Brigade members, one has to perform name→address lookups for all of the domain names obtained as the result of the address→name lookup.

At the time of writing this answer, the IP address maps to 139 different domain names. In order to perform a "double-reverse" DNS lookup on a client connecting from that IP address, a server would have to perform 140 separate DNS lookups. That's a huge amount of DNS traffic, incurred by the server at the point where the client has done no more than make a connection. (Luckily, in this particular case, because of what is probably a common error on the part of the DNS administrator concerned, described in RFC 1537 § 5, all of the domain names are under a common superdomain. If they weren't, the amount of DNS traffic would be considerably larger still.)

That's a considerable delay to incur between a client making a connection to the server and the server starting to provide actual service.

Moreover, and somewhat ironically, it's quite a hefty denial-of-service amplification tool to hand to malicious third parties. To orchestrate a concerted bandwidth consumption attack on an organisation's content DNS servers, an attacker need only make connections to a group of randomly selected servers, that employ this half-baked idea, from an IP address whose address→name→address lookup involves querying those content DNS servers a lot for some reason. (The attacker doesn't even need to make any use of the actual service.)

Double reverse lookup is not a form of client verification or identification.

The existence of a successful address→name→address mapping does not imply that the client with that IP address is somehow more "valid" than a client whose IP address cannot be so mapped. A client whose IP address cannot be mapped to a domain name, or whose IP address is not included in the result of a double-reverse DNS lookup, is not "unknown".

Mapping an IP address to a set of domain names does not cause one to "know" (in terms of security or validity) anything more about that IP address. One continues to know exactly the same as one knew to begin with. Mapping those domain names back to IP addresses doesn't cause one to "know" anything more about that IP address, either.

The DNS simply does not work this way.

The assertions about the way that the DNS operates, justifying this half-baked idea, are simply false. People who make these assertions have a wrong understanding of the DNS. There is nothing in the Internet standards for the DNS that supports these assertions.

© Copyright 2004,2009 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.