I have read several posts indicating that reverse dns lookup cannot be trusted, as someone can spoof DNS -- so when a rule is made that allows traffic through dns, its possible to exploit.
However, it's not so easy to spoof an IP, correct? At least, I'm unaware of this.
If I know the specific subnet that source should always be coming from, can I not use that in addition to dns matching?
I'm using HAProxy, and believe I should be able to be match the DNS and if source is in subnet 99.99.99.9x. Which would essentially look like
if host is blah.mydns.com AND src is 99.99.99.9x --> ACCEPT
This would allow me to have the benefit of dns flexibility -- no explicit IPs necessary to define, and new machines on my network. And also assert they came from a network I recognize.
I've also read about combining SSL certs with this to assert a proper source, which does sound like a good idea although I have trouble understanding how to integrate that with things like SSH forwarding and control.
This question may be redundant on this forum, but what I'm really looking for is some feedback if this is good idea or a bad idea. No security solution is perfect, any exploiter can do anything given time and motivation -- but does this make attempts significantly harder?
