On Fri, 01 Mar 2002 11:22:54 +0800, Mathias Koerber <mathias@koerber.org> said:
You mean don't run reverse DNS? Having good reverse DNS is a requirement to allow things like tcp-wrappers to work with domainnames rather than just IP addresses.
Using domain names with tcp-wrappers has some hidden considerations that 95% of the people don't think through... If you are getting a connection from an IP/name you *would* let in, but the PTR entry fails on a timeout or whatever, you're rejecting a legitimate connection. Depending on your paranoia level, this may be acceptable. If you allow in based on DNS name, you may accept a connection that you should have rejected. The ususal causes of this are DNS cache poisoning and related attacks - and of course, these are most likely to happen in conjunction with an attempted illegitimate connection. It's probably an OK thing to do *IF* you realize that the DNS can be lied to, and the connection has to pass OTHER authentication as well (for instance, if you only accept SSH connections from "your-OK.yourdomain.com", but still require a valid 'publickey' authentication or similar before actually allowing it in). -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech