To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
srisuresh at yahoo.com
Tue May 15 16:02:34 UTC 2001
--- Valdis.Kletnieks at vt.edu wrote:
> On Mon, 14 May 2001 23:18:09 PDT, Adam McKenna <adam at flounder.net> said:
> > It does hurt. It causes non-obvious problems. Forcing hostnames and PTR's
> > to match (commonly referred to as PARANOID checking) does not provide extra
> > security, it just prevents people with badly configured DNS from accessing
> > your servers.
> I once did a similar check in a Sendmail configuration, and found it to be
> incredibly useful in reducing the spam load without significantly impacting
> actual traffic.
> There's a second-order effect here - the sort of clueless ISP that is unable
> to get a PTR entry correct is *ALSO* the sort of clueless ISP that is very
> likely unable to detect/eliminate hacker/spammer/etc nests in their address
> You of course need to be sure that your *own* DNS is rock-solid and up to
> date (although our departmental network liaisons that maintain their zones
> have learned that Things Will Not Work if they don't do it right ;). You
> also need to apply the usual skepticism for results - there *could* be a
> temporary outage, for instance.
Forcing hostnames and PTR's to match will also prevent people from NAT
land accessing your servers. There are hardly any NAT implementations
that do dynamic DNS updates.
> It's *NOT* a security measure to deploy by itself. It's however useful as
> Yet Another Part of a Complete and Balanced Security Breakfast... ;)
Only if you consider keeping up-to-date PTR records and dynamic DNS updates
a security measure.
> Valdis Kletnieks
> Operating Systems Analyst
> Virginia Tech
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
More information about the NANOG