Great Circle Associates Firewalls
(September 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: SMTP - reverse lookups OK (was Re: Access control from SMTP)
From: Christophe Wolfhugel <Christophe . Wolfhugel @ grasp . insa-lyon . fr>
Date: Wed, 22 Sep 1993 22:04:49 +0200
To: firewalls @ GreatCircle . COM

Brent Chapman:
> A few sites do double reverse lookups.  I think this is a problem.  I
> don't think they're getting much in the way of extra security, and
> they're causing problems for lots of sites such as your own which are
> on transient IP addresses, or sites that don't want to reveal the
> names of their internal machines (for whatever reasons).

Cheating on reverse lookups is so easy as you can put the PTR to any
zone. Cheating on both the reverse and direct lookup is somewhat less
trivial. Having a supposedely correct name eases a lot the management of
problems just because many sites have a better management of their direct
zone and neglect the reverse (just look at how many Internet sites do not
register their networks at all).

If sites don't bother to manage properly their address space, I don't
bother allowed access to them. They are free to go somewhere else :).
Particularly true when speaking of anon ftp: most users (particularly in
Europe, but this seems to be more and more widespread in other continents)
are badly enough educated not to have the politeness to identify themselves
as suggested, I don't like to allow service to unregistered and unpolite
people !

Doing both lookups also sometimes helps finding bugs in the zones
(like missing dots). It is not rare to find (fictive sample)
134.214.100.25 pointing to grasp.insa-lyon.fr.214.134.in-addr.arpa.

> I typically configure DNS on the firewalls that I install to return
> "unknown.SITE.DOMAIN" (i.e., "unknown.GreatCircle.COM") as the
> hostname for PTR lookups for "internal" machines,

Wildcard PTR are supposed to work (never tried it):

*.x.y.z.in-addr.arpa.   IN      PTR     unknown.dom.ain.

Now when using firewalls, and particularly proxy servers, the
connection usually comes from the machine hosting those servers
which is supposed to be registered in the public DNS zone.

I do register in the public DNS all machines which are allowed at one
time or another to establish any traffic with the outside. Everything
else should never have its adress outside of the network and is registered
into the private DNS wich is a subset of the public one, and also gives
access to the Internet zones to users.

Chris


Indexed By Date Previous: Re: SMTP - reverse lookups OK (was Re: Access control from SMTP)
From: Brent Chapman <brent @ GreatCircle . COM>
Next: RSH name lookups
From: Steve Kennedy <steve @ gbnet . org>
Indexed By Thread Previous: Re: SMTP - reverse lookups OK (was Re: Access control from SMTP)
From: Brent Chapman <brent @ GreatCircle . COM>
Next: RSH name lookups
From: Steve Kennedy <steve @ gbnet . org>

Google
 
Search Internet Search www.greatcircle.com