主机的正向和反向 DNS 条目在 java 应用程序中如何匹配使其免受 DNS 欺骗
How the host's forward and backward DNS entries match in java application makes it secure from DNS spoofing
我正在使用 fortify,它显示了攻击者可以在我尝试在 java 应用程序中获取主机名时进行 DNS 欺骗的漏洞。
我有一个解决方案,通过匹配正向 DNS 和反向 DNS 条目可以避免这种情况。但是它有什么用以及我该如何实现它,我找不到它。
Fortify 在此行显示漏洞
Link for line
Fortify 正在显示这样的建议:
Recommendations:
You can increase confidence in a domain name lookup if you check to
make sure that the host's forward and backward DNS entries match.
Attackers will not be able to spoof both the forward and the reverse
DNS entries without controlling the nameservers for the target domain.
This is not a foolproof approach however: attackers may be able to
convince the domain registrar to turn over the domain to a malicious
nameserver. Basing authentication on DNS entries is simply a risky
proposition.
感谢任何帮助,也欢迎其他解决方案。
提前致谢。
我猜是这样的:
final String hostname = "google.com";
final String ipAddress = "123.123.123.123";
final InetAddress byIpAddress = InetAddress.getByName(ipAddress);
boolean forwardCheck = byIpAddress.getHostName().equals(hostname);
final InetAddress byHostName = InetAddress.getByName(hostname);
boolean reverseCheck = byHostName.getHostAddress().equals(ipAddress);
if (reverseCheck && forwardCheck) {
// perform your logic
}
我正在使用 fortify,它显示了攻击者可以在我尝试在 java 应用程序中获取主机名时进行 DNS 欺骗的漏洞。 我有一个解决方案,通过匹配正向 DNS 和反向 DNS 条目可以避免这种情况。但是它有什么用以及我该如何实现它,我找不到它。 Fortify 在此行显示漏洞
Link for line
Fortify 正在显示这样的建议:
Recommendations:
You can increase confidence in a domain name lookup if you check to make sure that the host's forward and backward DNS entries match. Attackers will not be able to spoof both the forward and the reverse DNS entries without controlling the nameservers for the target domain. This is not a foolproof approach however: attackers may be able to convince the domain registrar to turn over the domain to a malicious nameserver. Basing authentication on DNS entries is simply a risky proposition.
感谢任何帮助,也欢迎其他解决方案。
提前致谢。
我猜是这样的:
final String hostname = "google.com";
final String ipAddress = "123.123.123.123";
final InetAddress byIpAddress = InetAddress.getByName(ipAddress);
boolean forwardCheck = byIpAddress.getHostName().equals(hostname);
final InetAddress byHostName = InetAddress.getByName(hostname);
boolean reverseCheck = byHostName.getHostAddress().equals(ipAddress);
if (reverseCheck && forwardCheck) {
// perform your logic
}