[101768] in North American Network Operators' Group
Re: request for help w/ ATT and terminology
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Jan 17 17:47:32 2008
Date: Thu, 17 Jan 2008 22:42:15 +0000
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Valdis.Kletnieks@vt.edu
Cc: Joe Greco <jgreco@ns.sol.net>, michael.dillon@bt.com, nanog@merit.edu
In-Reply-To: <10934.1200609330@turing-police.cc.vt.edu>
Errors-To: owner-nanog@merit.edu
On Thu, 17 Jan 2008 17:35:30 -0500
Valdis.Kletnieks@vt.edu wrote:
> On Thu, 17 Jan 2008 21:29:37 GMT, "Steven M. Bellovin" said:
>
> > You don't always want to rely on the DNS for things like firewalls
> > and ACLs. DNS responses can be spoofed, the servers may not be
> > available, etc. (For some reason, I'm assuming that DNSsec isn't
> > being used...)
>
> Been there, done that, plus enough other "stupid DNS tricks" and
> "stupid /etc/host tricks" to get me a fair supply of stories best
> told over a pitcher of Guinness down at the Undergroud..
I prefer nice, hoppy ales to Guiness, but either works for stories..
>
> *Choosing* to hardcode rather than use DNS is one thing. *Having* to
> hardcode because the gear is "too stupid" (as Joe Greco put it) is
> however "Caveat emptor" no matter how you slice it...
>
Mostly. I could make a strong case that some security gear shouldn't
let you do the wrong thing. (OTOH, my preferred interface would do the
DNS look-up at config time, and ask you to confirm the retrieved
addresses.) You can even do that look-up on a protected net in some
cases.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
