North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: the value of reverse address lookups?

  • From: Laurence F. Sheldon, Jr.
  • Date: Wed Mar 31 22:01:21 2004

Douglas F. Calvert wrote:

On Wed, 2004-03-31 at 19:59, Stephen J. Wilcox wrote:

On Wed, 31 Mar 2004, Douglas F. Calvert wrote:

I am interested in finding out what the motivation is for requiring
valid reverse address lookups before connecting to a daemon. I have
heard a number of different explanations, the majority of the responses
point to history/tradition and tcpwrappers. Is there a commonly accepted
justification for this practice?  In my opinion it does not appear to
increase the validity of the connection. But I may be missing something
obvious.
Thanks in advance...
Well, my understanding is that whilst its easy to get a domain name and some dns
its usually quite difficult to put in a ptr record, these are usually controlled
by the ISP. If they dont exist or dont match then the address is a dialup or
hijacked or something not legitimate.. I think this is mainly an smtp antispam thing tho altho I see your point is for any connection is general, I guess the same appliers to hackers as to spammers.. ?
I am interested in both cases smtp and other services. Syr.edu only
accepts ssh connection to the public unix boxen if you come from an ip
with a valid reverse address. The majority of smtp servers on the net
require the same. What more is known about the mail sender or ssh client
just because the reverse address lookup goes through?

Anyone care to give their thoughts on the legacy aspect?
Speaking for myself only, and for the groups that I used to manage
at the time I managed them...

There is a concept of a Complete Job in doing something.  In the
case of exposing a machine to a larger community, that Complete
Job includes (but is not limited to) such things as insuring
that machine is physically up to its assigned task, that its
Operating system is appropriate and at the appropriate patch
level, that the software is appropriate for the assignment, and
properly configured, that the installation is physically and
operationally secure, and that all of the paperwork (including
virtual paperwork like domain registrations and DNS minutia)
is in order.

If you are an outsider looking in at one of my installations, that
last one is the only one you can readily look at to see if you
think I am worthy of your trust.

--
Requiescas in pace o email