North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Reverse DNS and SMTP

  • From: Valdis.Kletnieks
  • Date: Fri Mar 01 09:19:57 2002

On Fri, 01 Mar 2002 11:22:54 +0800, Mathias Koerber <[email protected]>  said:

> You mean don't run reverse DNS? Having good reverse DNS is a requirement
> to allow things like tcp-wrappers to work with domainnames rather than
> just IP addresses.

Using domain names with tcp-wrappers has some hidden considerations that
95% of the people don't think through...

If you are getting a connection from an IP/name you *would* let in, but
the PTR entry fails on a timeout or whatever, you're rejecting a legitimate
connection.  Depending on your paranoia level, this may be acceptable.

If you allow in based on DNS name, you may accept a connection that you
should have rejected. The ususal causes of this are DNS cache poisoning
and related attacks - and of course, these are most likely to happen in
conjunction with an attempted illegitimate connection.

It's probably an OK thing to do *IF* you realize that the DNS can be lied
to, and the connection has to pass OTHER authentication as well (for instance,
if you only accept SSH connections from "", but still
require a valid 'publickey' authentication or similar before actually
allowing it in).

				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Attachment: pgp00000.pgp
Description: PGP signature