North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
--- [email protected] wrote: > On Mon, 14 May 2001 23:18:09 PDT, Adam McKenna <[email protected]> said: > > It does hurt. It causes non-obvious problems. Forcing hostnames and PTR's > > to match (commonly referred to as PARANOID checking) does not provide extra > > security, it just prevents people with badly configured DNS from accessing > > your servers. > > I once did a similar check in a Sendmail configuration, and found it to be > incredibly useful in reducing the spam load without significantly impacting > actual traffic. > > There's a second-order effect here - the sort of clueless ISP that is unable > to get a PTR entry correct is *ALSO* the sort of clueless ISP that is very > likely unable to detect/eliminate hacker/spammer/etc nests in their address > space. > > You of course need to be sure that your *own* DNS is rock-solid and up to > date (although our departmental network liaisons that maintain their zones > have learned that Things Will Not Work if they don't do it right ;). You > also need to apply the usual skepticism for results - there *could* be a > temporary outage, for instance. > Forcing hostnames and PTR's to match will also prevent people from NAT land accessing your servers. There are hardly any NAT implementations that do dynamic DNS updates. > It's *NOT* a security measure to deploy by itself. It's however useful as > Yet Another Part of a Complete and Balanced Security Breakfast... ;) > Only if you consider keeping up-to-date PTR records and dynamic DNS updates a security measure. > -- > Valdis Kletnieks > Operating Systems Analyst > Virginia Tech > > cheers, suresh __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
|