[69236] in North American Network Operators' Group
Re: the value of reverse address lookups?
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Wed Mar 31 21:29:57 2004
Date: Thu, 1 Apr 2004 10:29:12 +0800
From: Adrian Chadd <adrian@creative.net.au>
To: "Douglas F. Calvert" <douglist@anize.org>
Cc: nanog@nanog.org
In-Reply-To: <1080778903.833.57.camel@liberate>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Mar 31, 2004, Douglas F. Calvert wrote:
>
> Hello,
> I am interested in finding out what the motivation is for requiring
> valid reverse address lookups before connecting to a daemon. I have
> heard a number of different explanations, the majority of the responses
> point to history/tradition and tcpwrappers. Is there a commonly accepted
> justification for this practice? In my opinion it does not appear to
> increase the validity of the connection. But I may be missing something
> obvious.
if you reverse resolve, then some registry somewhere (ARIN, RIPE, APNIC, etc)
recognises that network as having 'valid' contact details and has assigned
someone reverse authority.
It stops some IP block hijackers - if you find the right peer,
you can just pop up for a bit, say "hi! I'm foo/12!", start spamming
from a few /16's worth of IPs, then drop away after an hour.
In practice, at least with IP block hijackers, they'll either
(a) hijack a smaller chunk of a registered/announced ip network, complete
with nameservers, or
(b) they'll find a registered but un-announced ip network, with the
in-addr authoritative nameservers inside said network, and just
pop up for spamming there.
I think you'll find the original reasoning rooted in past history.
A few useful side-effects, like the above, have popped up so I don't
think there's much motivation to change it.
2c,
Adrian
--
Adrian Chadd I'm only a fanboy if
<adrian@creative.net.au> I emailed Wesley Crusher.
