In some email I received from Brent Chapman, Sie wrote:
> Ah, but I don't trust anything based on name. All of my packet
> filters are set up to filter by address, not name. None of the
> services on my gateway machines (the one that provides the SMTP, FTP,
> NNTP, and DNS servers that the outside world can see) do any sort of
> authentication by name (except for NNTP, which I'm not real concerned
> about anyway; if I was, I could do it by IP address as well).
Your lack of trust in DNS replies is well founded, but it may well be
useful for you to know who is trying to spoof DNS records if you do an
IP#->name lookup (from a DNS server) and get a 'local' machine name
which has a different IP# to that which you're doing a lookup on.
In this area, I think it is DNS libraries which are a bit on the deficient
side; it would be nice to be able to set the a preference of /etc/hosts or
a DNS server for each lookup AND also know from which the answer came.
Then at least you can depend on local mappings (from /etc/hosts) and start
asking questions when you see a clash.