request for help w/ ATT and terminology

Steven M. Bellovin smb at cs.columbia.edu
Thu Jan 17 21:29:37 UTC 2008


On Thu, 17 Jan 2008 15:45:24 -0500
Valdis.Kletnieks at vt.edu wrote:

> On Thu, 17 Jan 2008 09:15:30 CST, Joe Greco said:
> > make this a killer.  That could include things such as firewall
> > rules/ACL's, recursion DNS server addresses, VPN adapters, VoIP
> > equipment with stacks too stupid to do DNS, etc.
> 
> I'll admit that fixing up /etc/resolv.conf and whatever the Windows
> equivalent is can be a pain - but for the rest of it, if you bought
> gear that's too stupid to do DNS, I have to agree with Leigh's
> comment: "Caveat emptor".
> 
You don't always want to rely on the DNS for things like firewalls and
ACLs.  DNS responses can be spoofed, the servers may not be available,
etc.  (For some reason, I'm assuming that DNSsec isn't being used...)


		--Steve Bellovin, http://www.cs.columbia.edu/~smb



More information about the NANOG mailing list