0

For my web app, I hardcode a reverse DNS detection for common web crawlers. And for detecting them I use their Reverse DNS, which I always check whether it includes i.e. google.com. My questions would be:

  • Can this be a possible security flaw, because a subsubdomain could be just named googlebot.com.malicious.bot?
  • Can the Reverse DNS be spoofed using IP spoofing?
  • In case of yes to the previous question, how can I check that it was legit? Do I need to implement code to ping that IP or something?
Improve this question
3
  • "I hardcore a reverse DNS detection for common web crawlers." You suppose then implicitely that PTR records exist for any IP hitting you... except that this is far from the case. Outside of email needs, PTR records are mostly useless and hence not used. You can not expect any given IP address (v4 or v6) to have any kind of PTR records. Alternatively, good search engine do provide list of IP addresses from where they come, and also have a proper User-Agent field that you can match.
    – Patrick Mevzek
    Commented Nov 24, 2021 at 18:29
  • @PatrickMevzek User-Agent can be easily spoofed
    – Munchkin
    Commented Nov 25, 2021 at 9:00
  • As can PTR records, first if you don't have DNSSEC, second as Steffen said the owner of it can point to google.com as it wants...
    – Patrick Mevzek
    Commented Nov 25, 2021 at 16:34

1 Answer 1

Reset to default
2

One cannot trust a reverse DNS lookup. Somebody managing the PTR record for its IP address can provide any name in the reverse DNS lookup, including domains which belong to somebody else like google.com.

If security decisions should be made based on the domain name one need to a forward-confirmed reverse DNS lookup, i.e. check also that the domain claimed in the PTR records resolves back to the expected IP address.

And of course, security checks against a domain should never be a simple sub-string match. It should either be an exact match or to make sure that the given domain is a subdomain of the expected domain, i.e. with expected example.com:

 example.com -> good, exact match
 example.com.org -> wrong, totally different domain
 foobar-example.com -> wrong, totally different domain
 foobar.example.com -> good, subdomain
Improve this answer
2
  • I changed the logic to check the rDNS lookup the ending of the string. I do fail to find a procedure needed to do frcDNS, I just resolve the PTR record again and compare it to the first result or how?
    – Munchkin
    Commented Nov 24, 2021 at 12:07
  • @Munchkin: Reverse DNS is going from IP address to domain via PTR record. Forward-Confirming is doing from the domain returned by PTR to the IP address, i.e. doing a A/AAAA DNS lookup. And then check if the address used for PTR is in the set of addresses returned by A/AAAA. Just doing PTR twice does not help at all.
    – Steffen Ullrich
    Commented Nov 24, 2021 at 13:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .