[45943] in North American Network Operators' Group
Re: Reverse DNS and SMTP
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Mar 1 09:17:43 2002
Message-Id: <200203011416.g21EGvWQ008385@foo-bar-baz.cc.vt.edu>
To: Mathias Koerber <mathias@koerber.org>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Fri, 01 Mar 2002 11:22:54 +0800."
<DBEOICFJBNFIGNAHBGOCOEAMCBAA.mathias@koerber.org>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-43351939P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Fri, 01 Mar 2002 09:16:57 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-43351939P
Content-Type: text/plain; charset=us-ascii
On Fri, 01 Mar 2002 11:22:54 +0800, Mathias Koerber <mathias@koerber.org> said:
> You mean don't run reverse DNS? Having good reverse DNS is a requirement
> to allow things like tcp-wrappers to work with domainnames rather than
> just IP addresses.
Using domain names with tcp-wrappers has some hidden considerations that
95% of the people don't think through...
If you are getting a connection from an IP/name you *would* let in, but
the PTR entry fails on a timeout or whatever, you're rejecting a legitimate
connection. Depending on your paranoia level, this may be acceptable.
If you allow in based on DNS name, you may accept a connection that you
should have rejected. The ususal causes of this are DNS cache poisoning
and related attacks - and of course, these are most likely to happen in
conjunction with an attempted illegitimate connection.
It's probably an OK thing to do *IF* you realize that the DNS can be lied
to, and the connection has to pass OTHER authentication as well (for instance,
if you only accept SSH connections from "your-OK.yourdomain.com", but still
require a valid 'publickey' authentication or similar before actually
allowing it in).
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_-43351939P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE8f41ZcC3lWbTT17ARAodQAJ9fHm7nPQbDSYhPU+VcfMiKjsGfrACfd5so
ityGoG9h2+uA/Hxew+0Wvzw=
=Wze9
-----END PGP SIGNATURE-----
--==_Exmh_-43351939P--
