Reverse DNS and SMTP

• Previous message (by thread): Reverse DNS and SMTP
• Next message (by thread): DNS timeline
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 01 Mar 2002 11:22:54 +0800, Mathias Koerber <mathias at koerber.org>  said:

> You mean don't run reverse DNS? Having good reverse DNS is a requirement
> to allow things like tcp-wrappers to work with domainnames rather than
> just IP addresses.

Using domain names with tcp-wrappers has some hidden considerations that
95% of the people don't think through...

If you are getting a connection from an IP/name you *would* let in, but
the PTR entry fails on a timeout or whatever, you're rejecting a legitimate
connection.  Depending on your paranoia level, this may be acceptable.

If you allow in based on DNS name, you may accept a connection that you
should have rejected. The ususal causes of this are DNS cache poisoning
and related attacks - and of course, these are most likely to happen in
conjunction with an attempted illegitimate connection.

It's probably an OK thing to do *IF* you realize that the DNS can be lied
to, and the connection has to pass OTHER authentication as well (for instance,
if you only accept SSH connections from "your-OK.yourdomain.com", but still
require a valid 'publickey' authentication or similar before actually
allowing it in).

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20020301/fc1831a2/attachment.sig>

• Previous message (by thread): Reverse DNS and SMTP
• Next message (by thread): DNS timeline
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]