My mailer thinks Peter da Silva said:
>
> Does turning off "deny hosts unknown" really reduce security that much?
>
> You shouldn't have any rules that depend on DNS, right?
>
> Right?
They do not depend on DNS - if DNS fails the host shows up as unknown
and they don't get in. Right?
I use IP addresses only in netperm-table. If the reverse lookup fails
either the host attempting access is not in DNS and therefore I do not
want them using the service, or DNS failed and since I can't "verify"
the IP address, access is again denied. Note that the lookups are
performed on an internal DNS (unless someone has changed resolv.conf :-).
I also have one line in netperm-table oer host so having the "unknown"
line is overkill I guess. It does however, in a perverse kind of way
let me know if DNS is playing up - someone who used to be able to get out
now can't -> DNS broken :-)
If you have a wildcard like "permit hosts *" then the "unknown" line
adds security.
Am I talking rubbish?
Colin
Follow-Ups:
References:
|
|
