North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
On Mon, 14 May 2001 23:18:09 PDT, Adam McKenna <[email protected]> said: > It does hurt. It causes non-obvious problems. Forcing hostnames and PTR's > to match (commonly referred to as PARANOID checking) does not provide extra > security, it just prevents people with badly configured DNS from accessing > your servers. I once did a similar check in a Sendmail configuration, and found it to be incredibly useful in reducing the spam load without significantly impacting actual traffic. There's a second-order effect here - the sort of clueless ISP that is unable to get a PTR entry correct is *ALSO* the sort of clueless ISP that is very likely unable to detect/eliminate hacker/spammer/etc nests in their address space. You of course need to be sure that your *own* DNS is rock-solid and up to date (although our departmental network liaisons that maintain their zones have learned that Things Will Not Work if they don't do it right ;). You also need to apply the usual skepticism for results - there *could* be a temporary outage, for instance. It's *NOT* a security measure to deploy by itself. It's however useful as Yet Another Part of a Complete and Balanced Security Breakfast... ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech Attachment:
pgp00032.pgp
|