>Suppose someone intent on no good set a packet generator of some sort to firing
>lots of DNS replies with the responsible nameserver's source address and
>containing spoofed information, both PTR and A, at the target machine? Chances
>seem good that the spoof DNS replies would get in there before the real reply
>just when the target machine tried to do the lookups, and then access would be
>granted to the spoofer's client address...
It's fairly obvious and it's been done. This is one reason
we recommend not using DNS-based information for determining how
you will deal with a node. I.e., use IP addresses only.
IP addresses are doubtless always going to be spoofable too,
but as you point out, it's pretty easy to spoof DNS by stuffing a
nameserver -- make 'em work for it. IP spoofing takes a higher
degree of expertise and access (I believe).