[37533] in North American Network Operators' Group
Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue May 15 10:30:00 2001
Message-Id: <200105151418.f4FEItT13083@foo-bar-baz.cc.vt.edu>
To: Adam McKenna <adam@flounder.net>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Mon, 14 May 2001 23:18:09 PDT."
<20010514231809.L26145@flounder.net>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-588971015P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Tue, 15 May 2001 10:18:55 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-588971015P
Content-Type: text/plain; charset=us-ascii
On Mon, 14 May 2001 23:18:09 PDT, Adam McKenna <adam@flounder.net> said:
> It does hurt. It causes non-obvious problems. Forcing hostnames and PTR's
> to match (commonly referred to as PARANOID checking) does not provide extra
> security, it just prevents people with badly configured DNS from accessing
> your servers.
I once did a similar check in a Sendmail configuration, and found it to be
incredibly useful in reducing the spam load without significantly impacting
actual traffic.
There's a second-order effect here - the sort of clueless ISP that is unable
to get a PTR entry correct is *ALSO* the sort of clueless ISP that is very
likely unable to detect/eliminate hacker/spammer/etc nests in their address
space.
You of course need to be sure that your *own* DNS is rock-solid and up to
date (although our departmental network liaisons that maintain their zones
have learned that Things Will Not Work if they don't do it right ;). You
also need to apply the usual skepticism for results - there *could* be a
temporary outage, for instance.
It's *NOT* a security measure to deploy by itself. It's however useful as
Yet Another Part of a Complete and Balanced Security Breakfast... ;)
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_-588971015P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOwE6z3At5Vm009ewEQJIiwCgty0x4/rB80YeJv/RiABNDQ6rpgUAoI9G
AfNcbuieptIs1la161QfuiUp
=f1QR
-----END PGP SIGNATURE-----
--==_Exmh_-588971015P--
