DNS host mapping

Ken Hornstein kenh at cmf.nrl.navy.mil
Sun Oct 17 13:48:23 EDT 2021


>I own the domain 3c58.com (which is routable
>on the Internet, so I named the local machine Level10.3c58.com.  I'd like
>kerberos to create tickets for that machine, but I have run out of ideas on
>how to get that to happen under present circumstances.  Is there some way
>to convince Kerberos to look at the hosts file on windows or somehow tap
>the router's domain name server?  Is this behavior a bug or intended
>security behavior?

There are a couple of details here that matter.

- Which Kerberos implementation you are using
- Which APPLICATIONS you are using
- How it is configured
- The reverse DNS records

Let's say you're using MIT Kerberos.  Again, details matter here.  What
is the implementation of the Kerberos KDC?  If it is a Unix-based
KDC, you should have access to the logs.

_Depending on how you have things configured_, the client side Kerberos
implementation may just try to canonicalize the name based on the
forward DNS, _or_ it may also try the reverse DNS.  At least for MIT
Kerberos, it calls the standard operating system calls to perform those
DNS lookups.  But again the details matter; those MAY consult the local
host file, it may not.  Your best best is to look at the KDC logs to
determine what name it is trying to look up, and go from there.

--Ken


More information about the Kerberos mailing list