To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
Adam McKenna
adam at flounder.net
Tue May 15 06:18:09 UTC 2001
On Mon, May 14, 2001 at 05:27:09PM -0400, Christopher A. Woodfield wrote:
>
> I didn't intend to imply that matching forward/reverse DNS was a security
> measure I'd trust by itself, but it certainly doesn't hurt to implement as
> a "outer perimeter" measure in conjunction with IP-based rules and
> secure authentication...
It does hurt. It causes non-obvious problems. Forcing hostnames and PTR's
to match (commonly referred to as PARANOID checking) does not provide extra
security, it just prevents people with badly configured DNS from accessing
your servers.
--Adam
More information about the NANOG
mailing list