North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS

  • From: Valdis.Kletnieks
  • Date: Tue May 15 10:38:19 2001

On Mon, 14 May 2001 23:18:09 PDT, Adam McKenna <[email protected]>  said:
> It does hurt.  It causes non-obvious problems.  Forcing hostnames and PTR's
> to match (commonly referred to as PARANOID checking) does not provide extra
> security, it just prevents people with badly configured DNS from accessing
> your servers.

I once did a similar check in a Sendmail configuration, and found it to be
incredibly useful in reducing the spam load without significantly impacting
actual traffic.

There's a second-order effect here - the sort of clueless ISP that is unable
to get a PTR entry correct is *ALSO* the sort of clueless ISP that is very
likely unable to detect/eliminate hacker/spammer/etc nests in their address
space.

You of course need to be sure that your *own* DNS is rock-solid and up to
date (although our departmental network liaisons that maintain their zones
have learned that Things Will Not Work if they don't do it right ;).  You
also need to apply the usual skepticism for results - there *could* be a
temporary outage, for instance.

It's *NOT* a security measure to deploy by itself.  It's however useful as
Yet Another Part of a Complete and Balanced Security Breakfast... ;)

-- 
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

Attachment: pgp00032.pgp
Description: PGP signature