Firewalls: Re: schizoprenic dns

Firewalls
(January 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: schizoprenic dns
From:	Tom Fitzgerald <fitz @ wang . com>
Date:	Mon, 24 Jan 94 20:46:48 EST
To:	owen @ netcom . com
Cc:	firewalls @ greatcircle . com
In-reply-to:	<199401250052 . QAA04024 @ asilomar . netcom . com>; from "owen @ netcom . com" at Jan 24, 94 4:52 pm

> > - - You can use a wildcard MX, which lets mail be relayed to internal
> >     systems the moment the system is set up, instead of waiting for the
> >     zone transfers
> >     to occur to all the secondaries which need to know about it.  (I have
> >     mixed feelings about this one - if you make a tiny mistake and the
> >     wildcard MX infects the internal DNS, you're in deep trouble.)

> Actually, as long as the wildcard MX doesn't override the internal
> information, and the internal information is at a lower number (higher
> preference) in it's MX records, it shouldn't affect things too much.

The problem with wildcard MXs is that they make operations succeed that
SHOULD fail.  If your sendmail tries to qualify all addresses in the local
domain before resolving them as global addresses, then the wildcard MX will
make addresses appear to be internal when they're really external.

Suppose the admin of two systems, a.cs.uni.edu and x.chem.uni.edu, wants to
let users send mail from each system to the other with the partially-
qualified addresses "user @
 a .
 cs" or "user @
 x .
 chem", without having to specify
uni.edu (since they're both in the same parent domain, after all).  He sets
up sendmail to resolve mailing addresses concatenated with parts of the
local domain, and use anything that finds a match in the DNS.  If the
concatenation fails, then it looks up the address as a global address, i.e.
"a.cs" would be resolved as a site in Czechoslovakia.  But if an MX for
"*.uni.edu" infects those systems, then mail to "user @
 dec .
 com" will be
successfully resolved as "dec.com.uni.edu", and the mail will almost
certainly wind up in a routing loop or bounced with "I refuse to talk to
myself."  People who remember the "*.edu.com" fiasco of last year (?) can
describe the damage a lot more vividly.

Unfortunately, using a lower preference for the wildcard doesn't help this;
what helps is a lot of careful work in the sendmail source and sendmail.cf
(plus abandoning the use of partially-qualified mail addresses).  This work
hasn't been done on most vendor-distributed sendmails, so unless you've
replaced everything with IDA or sendmail8, wildcard MXs can really tie your
mailers in knots.

-- 
Tom Fitzgerald   Wang Labs       fitz @
 wang .
 com
1-508-967-5278   Lowell MA, USA

References:

Re: schizoprenic dns
From: owen @ netcom . com

Indexed By Date	Previous:	Re: schizoprenic dns From: owen @ netcom . com
Indexed By Date	Next:	Re: Pings... From: jimc @ jts . com
Indexed By Thread	Previous:	Re: schizoprenic dns From: owen @ netcom . com
Indexed By Thread	Next:	TALK - any known problems with allowing access from the outside From: mwblas @ nicsn1 . monsanto . com (Marc W. Blaskie)