There are various different mechanisms for mapping addresses to host names and vice versa. The most important mechanism today DNS, the Domain Name System. In local area networks, there are other mechanisms, too, such as local files (the /etc/hosts file on Unix), directory services such as NIS or LDAP, and ad-hoc naming schemes that rely on the participating nodes to simply broadcast their names to the local network periodically.6.5
Which services are queried for hostname information, and in what order, is usually a matter of configuration by the system administrator,6.6 and is hidden from the application. A program wishing to look up the host name corresponding to an IP address will call the gethostbyaddr function which does all the magic for you. Likewise, the function gethostbyname will look up the address(es) associated with a host name.
Now the big question in terms of security is of course, can you trust the results of this lookup? The trivial answer is of course, the information is no more reliable than each of the services used. For local files, the answer is most definitely yes; if you have to worry about Joe Random User messing with your /etc/hosts file you're in real trouble. A similar argument holds for local directory services such as NIS and LDAP. You should better trust your users not to mess with them - if you can't, you should not use them.6.7
This leaves us with DNS. Almost every host will be configured to look up host names via DNS, so your application will have to be prepared to deal with its insecurities.
DNS is a huge and fascinating topic, and you can easily fill several books describing all its intricate miracles, its byzantine number of knobs and dials, and its warts. You can also fill a relatively large number of pages with all the different and amusing techniques to break it, covering topics such as Fake PTR Records, Cache Poisoning, DNS Spoofing, etc. I am not going to discuss these attacks here; if you're interested in the details please refer to XXX: needref.
The bleak and depressing truth about DNS as it is today is, you cannot trust any DNS response unless you know it's from a local trusted DNS server. There are proposals and standards on how to create a more secure DNS (involving lots of advanced crypto), but so far none of this has been deployed widely.
Consider the problem we're looking at - finding the host name given the IP address of a network client, and basing an access control decision on it, say 192.168.4.4. Roughly speaking, the administrator of the IP network 192.168.4.* can make the DNS return arbitrary host names for this address: scrooge.mcduck.com, whitehouse.gov or whatever he wants. That's because along with control over the IP network, he's usually given control over the portion of the DNS name space that contains the information mapping all IP addresses within that network to host names. This attack is called fake pointer record and its mechanisms are explained in A.
Does that mean it's impossible to use host names for access control purposes? Yes and no. First, this attack has been known for several aeons and there's a very simple but mostly effective fix for that. Even though an evil DNS admin can return arbitrary names for IP addresses under his control, that does not mean he can control what the DNS returns when asked for the addresses for those host names. In other words, he can configure his DNS server to return scrooge.mcduck.com when asked about the address 192.168.4.4. But when you ask the DNS about scrooge.mcduck.com it will point you to the Vatican's DNS servers which will continue to provide the real IP addresses for that name, and none else. And most likely, 192.168.4.4 will not be one of them.
So, the solution is to take the host name returned by the reverse lookup, do a forward lookup on it, and check whether the client's IP address shows up in the list of addresses associated with that name. If it doesn't, something's definitely fishy, and the name should not be trusted.6.8 Figure 6.1 shows how to do a ``safer'' reverse lookup using this approach.
Note that the gethostbyaddr implementation in the GNU C library does perform the extra forward check described above if you set nospoof on in /etc/host.conf. However, your application better should not rely on this, because the administrator may choose to turn this check off (unaware that his security relies on it). In addition, this feature is probably not supported by any other platform, so all of a sudden your application would become totally insecure when ported to another platform!
XXX: This doesn't seem to be true for recent glibc versions anymore. check.
