home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.protocols.tcp-ip      TCP and IP network protocols.      14,669 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 14,156 of 14,669   
   Tim K to Moe Trin   
   Re: Reverse DNS optional?   
   13 Mar 15 02:15:51   
   
   From: kelletim@gmail.com   
      
   On Tuesday, February 3, 2015 at 3:59:06 PM UTC-6, Moe Trin wrote:   
   > On Tue, 3 Feb 2015, in the Usenet newsgroup comp.protocols.tcp-ip, in article   
   > , glen herrmannsfeldt wrote:   
   >    
   > >A: Nobody uses it, and it is a waste of time to set up the servers.   
   >    
   >  A: Nobody uses it, and it is too HARD to set up the servers.   ;-)   
   >    
   > I've also seen people who avoid setting things up because it's a huge   
   > security hole if you let people figure out host names...   either that   
   > or they make you the object of intense laughter/ridicule.   I've also   
   > seen a lot of setups where "dig -x 192.0.2.22" would return the answer   
   > "22.2.0.192-in-addr.arpa" (PTR records obviously created by a perl or   
   > shell script).   
   >    
   > >C: Only hosts that make outgoing connections need DNS, don't waste   
   > >   the time otherwise.   
   >    
   > man 5 hosts_access   
   >    
   >    PARANOID   
   >      Matches any host whose name does not match its address.  When tcpd   
   >      is  built  with  -DPARANOID (default mode), it drops requests from   
   >      such clients even before looking at  the  access  control  tables.   
   >      Build  without  -DPARANOID  when  you  want more control over such   
   >      requests.   
   >    
   > tcp_wrappers hasn't been maintained, and the last version released was   
   > 7.6 is dated 7 April, 1997.   On the other hand, I think most SMTP   
   > servers are also set to require matching DNS entries.   
   >    
   > >E: Every host (and each port of multi-homed hosts) should have rDNS,   
   > >   but the network police won't arrest you for not doing it.   
   >    
   > But there-in lies the rub - I don't see where PTR records are a "MUST"   
   > in the standards.   RFC2050 was a "BEST CURRENT PRACTICE" document (and   
   > section 5 of that document related to "In-ADDR.ARPA Domain Maintenance")   
   > not a "INTERNET STANDARD" (or DRAFT or PROPOSED standard).   Likewise,   
   > RFC3172.   
   >    
   > >F: Network administrators who don't configure reverse DNS should   
   > >   be shot.   
   >    
   > Hmmmm.....   
   >    
   >         Old guy   
      
   I hear you, but things have changed. DNS was never a good security mechanism   
   although in this case (tcpwrappers:PARANOID) it clearly is being used that   
   way. Security practices have improved and that's been disregarded to check to   
   see if an incoming hosts    
   name matches its ptr record, because it was frankly a silly check to being   
   with. What it really meant was your organization was important enough for your   
   ISP to actually pay attention to your request for a PTR. :)   
      
   Still, on a private network they're quite useful unless you like memorizing ip   
   addresses, but frankly, the way people name machines now, you may as well.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca