Performance Issues - PTR Records
Mark Andrews
marka at isc.org
Tue Nov 8 12:27:31 UTC 2011
In message <4EB90EF2.3030100 at unfix.org>, Jeroen Massar writes:
> On 2011-11-08 12:05 , Mark Andrews wrote:
> > In message <4EB8F028.8040607 at dds.nl>, Seth Mos writes:
> [..]
> > Sounds like FUD. Who has trusted the contents of a PTR record in the
> > last 2 decades?
>
> Lots of tools (read: SSH, Spam-checks, oh and IRCd's ;) trust PTR, but
> only if the reverse => forward => reverse. And you don't want to know
> how many silly people enable the "if user comes from .in they must be
> from Indonesia^WIndia thus block them" Apache option as recently
> mentioned on this very thread.
They arn't trusting the reverse record. They are trusting the forward
record to verify the reverse record. They know that the reverse record
is untrustworthy as the owner of the reverse zone can put whatever they
want there without spoofing anything.
> Also, note that your precious operating system will likely store the
> PTR, sometimes even without doing the reverse->forward->reverse check.
> As such, you set up a PTR + Forward properly for a host, try to 'hack' a
> box by password guessing, the log entries will only have the PTR
> recorded, and you just drop the PTR+Forward from DNS (as they are under
> your control) the admin comes in, sees all those nice hosts in their
> logs but as it is gone from DNS will never ever find you. This
> especially goes for 'who' (utmp) which makes that mistake. Fortunately
> SSH at least logs both IP + hostname, the more info the better.
Who trusts logs of names without actual addresses? No one sane
does.
> That said though the PTR->forward->PTR check is a proper check and a
> really great way to figure out if the source SMTP host was actually set
> up with at least some admin doing it the right way. If they can't be
> bothered to set that up, why should you bother to accept that mail, or a
> better choice, just score it a bit negatively at least.
Which only works as a filter because ISP's decided to prevent home
users from putting valid PTR records in the DNS for their own
machines. It has nothing to do with clue or knowlege.
> Greets,
> Jeroen
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list