[ On Friday, February 7, 2003 at 18:28:57 (-0500), James P. Roberts wrote: ]
> Subject: Re: [Exim] Address rewriting vs. CNAME records?
>
> Wow. Somehow, I am always blind-sided by the flame wars I manage to
> trigger!
Perhaps next time you'll do some proper research into the topic at hand
before you go about repeating bad advice! ;-)
> Anyway, Greg has said at least twice now, and he is correct, that there
> is no security in DNS. So, I have to ask, what is the point of making
> consistency checks at all, since a determined user can easily spoof to
> get past your checks?
Forward and reverse DNS checks are the best we can do with the DNS
protocols deployed today. Doing those checks raises the bar and makes
it so that only a really determined person can spoof hostnames, not just
about any script kiddie sitting on the curb on the corner with a
borrowed wireless connection.
Why do you think these checks were included in TCP Wrappers?
Perhaps _you_ don't care about the hostnames recorded in mailer logs and
in the received headers generated by your mailer, but you are not
everyone, and perhaps not even in the majority on this issue. Lots of
people definitely do put a great deal of trust in the hostnames in their
e-mail headers, even if they haven't got the slightest clue how to
really evaluate that trust in context. For example just yesterday I
heard a story about some poor ignorant IT manager, who is despite his
ignorance is in charge of the rather large IT department of a rather
large and very publicly visible government organisation in these parts,
and who was not even aware that outsiders could send e-mail to his
co-workers as if it had come from him (i.e. with his mailbox in the
"From:" header).
> All you manage with such "paranoia" (to borrow
> the term already used) is to block legitimate traffic from people who
> are TRYING to do all the right things, but are prevented or blocked by
> ignorant ISPs who do not delegate IP blocks correctly.
Indeed. Such checks do help reveal serious configuration errors sooner
rather than later, errors which could easily lead to much more damaging
problems down the road. It's often the case that one error will lead to
another, and in this particular case it's easy to come up with scenarios
where the resulting confusion could actually end up blocking all e-mail
for a domain regardless of who does what checks; or even routing it to
the wrong servers. The sooner someone reveals these problems and
encourages their correction, the better.
Meanwhile these ignorant ISPs you speak of really do not hold a monopoly
on the market, nor are they always so impossible to deal with as you
suggest. Worse are the users who get in such a hurry that they don't
bother to think about the implications of not doing things right the
first time around.
> I draw attention now to Greg's last paragraph, above. "DNS replies are
> so easy to spoof" followed by "not checking for the consistency between
> PTRs and A records ... is just asking for trouble." So, apparently,
> Greg believe that cross-checking easily spoofed data somehow increases
> his security? Greg, please. I'm not the world's biggest security
> expert, but even I can see the hole in that logic!
It's easy to spoof one reply, or corrupt one zone in a cache. It seems
to be a lot harder to co-ordinate a spoof of two inter-related zones
though, especially if they're delegated to separate sets of nameservers,
but even if they're not.
Perhaps you should look into the origins for these consistency checks.
If I remember correctly it was Steve Bellovin who originally proposed
them in a paper about rsh security and you will find some discussion of
the background theory in the firewalls book he co-authored with Bill
Cheswick.
> OK, all that said, I must point out that I do not use any versions of
> rlogin or rsh or finger, because (I am told) they are inherently
> insecure. I use only the more modern openssh-based tools instead. So I
> am not too worried about it.
We're talking about different kinds of security here -- and we're also
talking about SMTP here. Do you understand how you would audit the path
an e-mail traversed using only the headers in the message and the mailer
logs from the machines it passed through? Are you sure you could even
begin to have any certainty of where a message came from if you did
_not_ have access to the logs of one of the mailers in the path? As
more and more true neophytes use e-mail for ever more important purposes
without proper end-to-end message security, such auditing issues are
becoming increasingly important. Without some effort at validating the
correctness of hostnames used in headers and logs there's no hope you
can follow these trails.
> Finally, one last point about having a matching PTR for every A record.
> This is abusive to bandwidth, not to mention a privacy issue, in the
> sense that there is absolutely no valid reason for anyone to care how
> many, and which, virtual hosts point to a specific machine, certainly
> not for every single internet transaction!
You'd better think a bit longer and harder about that -- your conclusion
is bogus as it does not follow in the slightest.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>
