North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Owen DeLong wrote: > > > > What's rDNS for the ip address(es) assigned to you? > > > I don't know about him, but, on my ADSL connection, it is controlled > by my nameservers: > > ;; ANSWER SECTION: > 10.159.192.in-addr.arpa. 86400 IN NS ns.rop.edu. > 10.159.192.in-addr.arpa. 86400 IN NS ns.delong.sj.ca.us. > Who are you to decide that there is no damage to blocking residential > customers? I'm a residential customer, but, I have a number of > servers running, and, a port 25 block would be very destructive to > the operation of my mailserver. Ah, but *you* wouldn't get blocked. You maintain your own rDNS and presumably have enough clue to not make the rDNS look like a pool of dynamic residential IPs that aren't terribly important. To wit: [email protected]: ~ $host 192.159.10.1 1.10.159.192.in-addr.arpa domain name pointer ns.delong.sj.ca.us. [email protected]: ~ $host 192.159.10.2 2.10.159.192.in-addr.arpa domain name pointer owen.delong.sj.ca.us. [email protected]: ~ $host 192.159.10.8 8.10.159.192.in-addr.arpa domain name pointer www.diagnostix.com. Those are OBVIOUSLY not hostnames that comply with de-facto standards for dynamically assigned dialup and broadband pools like ip-192-168-0-1.AppleValleyCA.BigDSLProvider.net or port1.as29.phoenix.DialupFarm.com (for example). The idea is that your ISP should either allow you to run your own DNS or give you DNS that doesn't look like something out of a big pool of addresses, which makes it much, MUCH easier to decide what to block and what not to block. Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs). That way you can be reasonably sure that you're not blocking someone whose ISP has allowed them to run servers. (Some providers are much better than others at doing this kind of thing...) > Why should an ISP decide what a residential > customer can or can't do with their internet connection. (This is not > an advocation for abandoning TOS or allowing abuse. I am talking about > within the confines of legitimate internet use, such as hosting a web > site (or even several), running nameservers, mail server(s), etc.) Your ISP, or the provider of the person deciding whether to block you? Is there anything wrong with an ISP saying "you can't run servers on certain types of Internet connection"? -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [email protected] / PGP: 0xE3AE35ED "The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
|