Kerberos authentication typically provides mutual authentication, meaning the server is authenticated to the client as well as the client to the server. Authenticating the server has taken on increasing importance in Internet security. Unfortunately, Kerberos's mutual authentication is gravely weakened when the client depends on insecure DNS to canonicalize the server hostname.
In release 1.12 we added the ability to set dns_canonicalize_hostname=False, which closes this loophole by preventing all DNS canonicalization. But it is not enabled by default and it imposes a convenience burden on users; they cannot even take advantage of the domain search path.
One approach to mitigating this problem is described here: