[101763] in North American Network Operators' Group
Re: request for help w/ ATT and terminology
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Jan 17 16:32:25 2008
Date: Thu, 17 Jan 2008 21:29:37 +0000
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Valdis.Kletnieks@vt.edu
Cc: Joe Greco <jgreco@ns.sol.net>, michael.dillon@bt.com, nanog@merit.edu
In-Reply-To: <3513.1200602724@turing-police.cc.vt.edu>
Errors-To: owner-nanog@merit.edu
On Thu, 17 Jan 2008 15:45:24 -0500
Valdis.Kletnieks@vt.edu wrote:
> On Thu, 17 Jan 2008 09:15:30 CST, Joe Greco said:
> > make this a killer. That could include things such as firewall
> > rules/ACL's, recursion DNS server addresses, VPN adapters, VoIP
> > equipment with stacks too stupid to do DNS, etc.
>
> I'll admit that fixing up /etc/resolv.conf and whatever the Windows
> equivalent is can be a pain - but for the rest of it, if you bought
> gear that's too stupid to do DNS, I have to agree with Leigh's
> comment: "Caveat emptor".
>
You don't always want to rely on the DNS for things like firewalls and
ACLs. DNS responses can be spoofed, the servers may not be available,
etc. (For some reason, I'm assuming that DNSsec isn't being used...)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
