Multiple domains pointed to the same IP

Barry Margolin barmar at bbnplanet.com
Thu Dec 9 18:54:41 UTC 1999 

In article <3852c87b.92669241 at news.gulfcoast.net>,
Jeff Cochran <naplesweb at gulfcoast.net> wrote:
>What about systems that check the reverse DNS to allow access, for FTP
>for example?  If I have two domains:

There shouldn't be a problem with this.  The server will perform a reverse
lookup, which will return one name.  It will then perform a forward lookup
of that name, get back the original address, and allow the access.  How
would it even notice that there's some other name whose forward lookup also
produces that address?

>foo.bar.com  192.1.2.3
>foo.bar.net  192.1.2.3
>
>but it would be the same 2.1.192.in-addr-arpa file with:
>
>192.1.2.3  foo.bar.com
>
>I would assume a reverse from foo.bar.net would go to foo.bar.com,
>correct?

Reverse starts with an address, not a name.  So foo.bar.net will never be
seen in the above process.

If you're talking about a hosts.allow file, you need to put foo.bar.com in
the file, since that's what the reverse lookup will return.  In most
software that uses a file like hosts.allow, the software performs a reverse
lookup and then compares against the file, it doesn't perform a forward
lookup of the names in the file.  This is to allow wildcards in the file;
if there were a *.bar.com entry in hosts.allow, it would not be possible to
do a forward lookup and get all the possible addresses (many DNS servers do
not allow random clients to perform zone transfers, which is what is needed
to implement a wildcard).

>How about if the foo.bar.net entry was a CNAME to foo.bar.com?  Would
>this correct the situation since the reverese would show foo.bar.com
>with an alias of foo.bar.net?

I recommend using CNAME records rather than multiple A records whenever
feasible.  It avoids problems like this.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list