John Hardin wrote:
While shit has happened too many times, I don't see why a browser would
do PTR lookup when given an IP.
If security settings are defined by the server's hostname or domain name
you'd kinda have to, or else say that all numeric-IP URLs are inherently
untrustworthy.
In that case, though, they *should* re-check the DNS of the hostname
that's been kicked back.
123.30.74.2 -> localhost -> 127.0.0.1 = mismatch
Assuming, of course, that (a) the DNS server being used doesn't do
something stupid like assume that the PTR result is symmetric, and (b)
the client has the sense to do that verification step.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
