[37539] in North American Network Operators' Group
Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
daemon@ATHENA.MIT.EDU (Pyda Srisuresh)
Tue May 15 12:07:13 2001
Message-ID: <20010515160234.60660.qmail@web13808.mail.yahoo.com>
Date: Tue, 15 May 2001 09:02:34 -0700 (PDT)
From: Pyda Srisuresh <srisuresh@yahoo.com>
To: Valdis.Kletnieks@vt.edu, Adam McKenna <adam@flounder.net>
Cc: nanog@nanog.org
In-Reply-To: <200105151418.f4FEItT13083@foo-bar-baz.cc.vt.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
--- Valdis.Kletnieks@vt.edu wrote:
> On Mon, 14 May 2001 23:18:09 PDT, Adam McKenna <adam@flounder.net> said:
> > It does hurt. It causes non-obvious problems. Forcing hostnames and PTR's
> > to match (commonly referred to as PARANOID checking) does not provide extra
> > security, it just prevents people with badly configured DNS from accessing
> > your servers.
>
> I once did a similar check in a Sendmail configuration, and found it to be
> incredibly useful in reducing the spam load without significantly impacting
> actual traffic.
>
> There's a second-order effect here - the sort of clueless ISP that is unable
> to get a PTR entry correct is *ALSO* the sort of clueless ISP that is very
> likely unable to detect/eliminate hacker/spammer/etc nests in their address
> space.
>
> You of course need to be sure that your *own* DNS is rock-solid and up to
> date (although our departmental network liaisons that maintain their zones
> have learned that Things Will Not Work if they don't do it right ;). You
> also need to apply the usual skepticism for results - there *could* be a
> temporary outage, for instance.
>
Forcing hostnames and PTR's to match will also prevent people from NAT
land accessing your servers. There are hardly any NAT implementations
that do dynamic DNS updates.
> It's *NOT* a security measure to deploy by itself. It's however useful as
> Yet Another Part of a Complete and Balanced Security Breakfast... ;)
>
Only if you consider keeping up-to-date PTR records and dynamic DNS updates
a security measure.
> --
> Valdis Kletnieks
> Operating Systems Analyst
> Virginia Tech
>
>
cheers,
suresh
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
