Author: James P. Roberts Date: To: exim-users CC: woods Subject: Re: [Exim] Address rewriting vs. CNAME records?
> > TCP Wrappers does offer a double lookup test to make sure the DNS is > > correct. See hosts_access(5) for PARANOID.
>
> ... and of course TCP Wrappers is just one of the more popular examples > of a server or server wraper that will do such checks. "rshd -a" and
> "rlogind -a" are others, and my own version of "fingerd -i" is yet
> another.
>
> DNS replies are so easy to spoof, and nameserver caches so easy to
> corrupt, that not checking for the consistency between PTRs and A
> records (when there are any PTRs) is just asking for trouble.
>
> --
> Greg A. Woods
Wow. Somehow, I am always blind-sided by the flame wars I manage to
trigger!
Anyway, Greg has said at least twice now, and he is correct, that there
is no security in DNS. So, I have to ask, what is the point of making
consistency checks at all, since a determined user can easily spoof to
get past your checks? All you manage with such "paranoia" (to borrow
the term already used) is to block legitimate traffic from people who
are TRYING to do all the right things, but are prevented or blocked by
ignorant ISPs who do not delegate IP blocks correctly. Unfortunately,
such ignorant ISPs are gaining control of large blocks of IP addresses,
and so the hope of having a matched pair of "A" and "PTR" for every host
(real or virtual) is simply a pipe-dream. As such, you are free to
choose to conduct such rigorous tests, and in doing so block legit
traffic, and "throw out the baby with the bathwater" if you like.
I draw attention now to Greg's last paragraph, above. "DNS replies are
so easy to spoof" followed by "not checking for the consistency between
PTRs and A records ... is just asking for trouble." So, apparently,
Greg believe that cross-checking easily spoofed data somehow increases
his security? Greg, please. I'm not the world's biggest security
expert, but even I can see the hole in that logic!
OK, all that said, I must point out that I do not use any versions of
rlogin or rsh or finger, because (I am told) they are inherently
insecure. I use only the more modern openssh-based tools instead. So I
am not too worried about it.
I apologize to the list for triggering this flame war. I did not mean
to. I only expressed advice that I had myself received (from the BIND 9
mailing list, if I recall correctly), and which has worked fine for me.
Finally, one last point about having a matching PTR for every A record.
This is abusive to bandwidth, not to mention a privacy issue, in the
sense that there is absolutely no valid reason for anyone to care how
many, and which, virtual hosts point to a specific machine, certainly
not for every single internet transaction! At most, I would expect, as
MBM said, you might need/want to verify IP ==> hostname ==> same IP.
But I remain unconvinced there is any value added in checking for
hostname ==> IP ==> same hostname. The world just isn't set up that
way, and it never will be. And, in fact, I think it should not be (for
the bandwidth and privacy reasons already mentioned).