ATTBI refuses to do reverse DNS?
A client of mine just discovered that he could no longer do ftp transfers to my machine. His IP address had changed to one in 12.240.20 and there is no reverse DNS for that block. His previous assignment was in a totally different block which did have reverse DNS. Calls to ATTBI got the answer that they are not obligated to provide reverse DNS and have no plans to do so. My servers refuse connections when there is no reverse lookup. Is this common? -- I suppose I could set up a bogus reverse for him, but, feh... -=[L]=-
--On Tuesday, June 18, 2002 11:30 AM -0700 Lou Katz <lou@metron.com> wrote:
A client of mine just discovered that he could no longer do ftp transfers to my machine. His IP address had changed to one in 12.240.20 and there is no reverse DNS for that block. His previous assignment was in a totally different block which did have reverse DNS. Calls to ATTBI got the answer that they are not obligated to provide reverse DNS and have no plans to do so. My servers refuse connections when there is no reverse lookup.
Is this common?
yes, i've had similar problems with cox both when i had cox@work business service, and now that i have cox@home residential service. this feeds right into the thread that branched off my post about "network diameter" in which people are talking about "clue factor". these networks spring up overnight, built by people who are missing some of the fundamental knowledge about how all this "stuff" works. and we're stuck with it as end users. -b
At 02:30 PM 6/18/02, Lou Katz wrote:
A client of mine just discovered that he could no longer do ftp transfers to my machine. His IP address had changed to one in 12.240.20 and there is no reverse DNS for that block. His previous assignment was in a totally different block which did have reverse DNS. Calls to ATTBI got the answer that they are not obligated to provide reverse DNS and have no plans to do so. My servers refuse connections when there is no reverse lookup.
Your server is using this INADDR lookup for what purpose? Security? INADDR is a really good idea for network operators to be using, and a really BAD idea for server operators to use as a security mechanism. Fix your server to be less anal. read draft-ietf-dnsop-inaddr-required-03.txt from your favorite Internet Drafts archive for additional information on this subject.
Is this common?
I have a CDPD card which has a fixed address. It's from Verizon Wireless. There's no INADDR. There seems to be a lack of understanding and clue all around on INADDR, which is the motivation for the above-mentioned draft. Having something to point network operators and server operators to would, IMO, help.
-- I suppose I could set up a bogus reverse for him, but, feh...
Either you set up something, or you can make your server not care about reverse, or lose the customer. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ]
Subject: Re: ATTBI refuses to do reverse DNS?
INADDR is a really good idea for network operators to be using, and a really BAD idea for server operators to use as a security mechanism. Fix your server to be less anal.
Excuse me? It's _still_ all the security an Internet DNS client has! When a hostname is important, for whatever reasons, an application MUST confirm the consistency of forward and reverse DNS.
read draft-ietf-dnsop-inaddr-required-03.txt from your favorite Internet Drafts archive for additional information on this subject.
According to my reading everything in _your_ draft strongly suggests that IN-ADDR records be fully and properly populated, despite at the same time warning that applications should not "rely" on consistency checks of the forward and reverse DNS as a security check. Unfortunately this most recent revision of your draft contains a significant and "dangerous" flaw -- it confuses application security checks with DNS consistency checks. Indeed applications should not use the DNS for authentication or for authorisation. However if any trust is put in the hostname used by a client, for any purpose whatsoever, (for audit logs, etc.) then full consistency checks of the DNS for that hostname _MUST_ be done! DNS spoofing, even just by accident, is just too easy and too common (and yes, it really does happen by accident by way of cache pollution, still in this day and age!). -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On Tue, 18 Jun 2002 15:54:13 -0400 (EDT), Greg A. Woods wrote:
[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ]
Subject: Re: ATTBI refuses to do reverse DNS?
INADDR is a really good idea for network operators to be using, and a really BAD idea for server operators to use as a security mechanism. Fix your server to be less anal.
Excuse me? It's _still_ all the security an Internet DNS client has!
When a hostname is important, for whatever reasons, an application MUST confirm the consistency of forward and reverse DNS.
Absolutely. If you can't confirm the hostname forwards and backwards, don't trust it at all. If you can confirm it both ways, you can put some small amount of trust in it. But the difference between the value in these two cases is very small.
Unfortunately this most recent revision of your draft contains a significant and "dangerous" flaw -- it confuses application security checks with DNS consistency checks. Indeed applications should not use the DNS for authentication or for authorisation. However if any trust is put in the hostname used by a client, for any purpose whatsoever, (for audit logs, etc.) then full consistency checks of the DNS for that hostname _MUST_ be done! DNS spoofing, even just by accident, is just too easy and too common (and yes, it really does happen by accident by way of cache pollution, still in this day and age!).
So if you can't confirm the hostname, don't trust it. Since you can't trust it even if you can confirm it, it doesn't make much difference. If you need the maximum security DNS can possibly give you, keep the IP, time, hostname, and results of reverse DNS. DS
In the referenced message, Daniel Senie said:
At 02:30 PM 6/18/02, Lou Katz wrote:
<snip>
Is this common?
I have a CDPD card which has a fixed address. It's from Verizon Wireless. There's no INADDR. There seems to be a lack of understanding and clue all around on INADDR, which is the motivation for the above-mentioned draft. Having something to point network operators and server operators to would, IMO, help.
The lack of clue tends to be on the providing in-addr side of things. I think it is a great thing to refuse connections from ips without in-addr, in the same way it is great to refuse mail from domains that don't provide postmaster addresses. It is a means through which one can influence the laziness of others. Simply disregarding what others do, only legitimizes the laziness, and continues us along the road of everyone doing the absolute minimum. Simply accepting the connections seems to be a "path of least resistance" which befits a pointy-hair more than an engineer.
-- I suppose I could set up a bogus reverse for him, but, feh...
Either you set up something, or you can make your server not care about reverse, or lose the customer.
You neglect to include the option of the customer changing to an ISP that provides in-addr.
At 05:29 PM 6/18/02, Stephen Griffin wrote:
In the referenced message, Daniel Senie said:
At 02:30 PM 6/18/02, Lou Katz wrote:
<snip>
Is this common?
I have a CDPD card which has a fixed address. It's from Verizon Wireless. There's no INADDR. There seems to be a lack of understanding and clue all around on INADDR, which is the motivation for the above-mentioned draft. Having something to point network operators and server operators to would, IMO, help.
The lack of clue tends to be on the providing in-addr side of things. I think it is a great thing to refuse connections from ips without in-addr, in the same way it is great to refuse mail from domains that don't provide postmaster addresses.
It is a means through which one can influence the laziness of others. Simply disregarding what others do, only legitimizes the laziness, and continues us along the road of everyone doing the absolute minimum.
While I believe people SHOULD be providing INADDR service, the people hurt by refusing connections are rarely the ones who have any influence. Just as Network Address Translation is not a security solution, neither is checking INADDR. Now if you check INADDR over Secure DNS, you might start having some level of information to trust.
Simply accepting the connections seems to be a "path of least resistance" which befits a pointy-hair more than an engineer.
Well, this engineer also has customers to take care of. Those customers cannot easily influence ATT Broadband or ATT Wireless to do things "right". So, I choose to keep having customers rather than closing down my business over others not having INADDR.
-- I suppose I could set up a bogus reverse for him, but, feh...
Either you set up something, or you can make your server not care about reverse, or lose the customer.
You neglect to include the option of the customer changing to an ISP that provides in-addr.
Please explain how a customer changes to another broadband vendor, or another CDPD vendor. Despite your company's presence in a limited number of markets, there are MANY people out there with only one choice (if they're lucky) for broadband. I'd be more likely to lose a customer than get them to change ISPs. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
[ On Tuesday, June 18, 2002 at 17:47:10 (-0400), Daniel Senie wrote: ]
Subject: Re: ATTBI refuses to do reverse DNS?
While I believe people SHOULD be providing INADDR service, the people hurt by refusing connections are rarely the ones who have any influence.
On the contrary! The people who are supposedly hurt here are those who ultimately have the most influence. In the end they can vote with their wallets even if they can't edit the appropriate zone files directly. (And the whole idea behind DNS trust really revolves around having two different parties agree on the mapping, not in simply allowing the user to edit their own reverse DNS!)
Just as Network Address Translation is not a security solution, neither is checking INADDR.
I don't think anyone has said that DNS consistency is a security solution. You keep confusing these concepts I think. It's only one tiny part of the picture. Fully consistent DNS only increases the level of trust you can have in the hostnames used. Since hostnames are supposed to be more stable than IP addresses, you _want_ to have more trust in the hostnames, but with current protocols you cannot unless there is full consistency between forward and reverse lookups.
Now if you check INADDR over Secure DNS, you might start having some level of information to trust.
We can only hope, but I'll believe it when I see it. -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
If the people who "vote with their wallets" here are the ATTBI customers, don't forget that if you're not served by DSL, cable broadband is really the only good option for broadband access (I'm not counting satellite, with >1s ping times, or wireless, which is still in its infancy as a residential solution). And rarely will you find a home anywhere in the US served by more than one cable company. Makes it kinda kard to vote with your wallet when the vendor has de facto monopoly power. -C
The people who are supposedly hurt here are those who ultimately have the most influence. In the end they can vote with their wallets even if they can't edit the appropriate zone files directly. (And the whole idea behind DNS trust really revolves around having two different parties agree on the mapping, not in simply allowing the user to edit their own reverse DNS!)
Just as Network Address Translation is not a security solution, neither is checking INADDR.
I don't think anyone has said that DNS consistency is a security solution. You keep confusing these concepts I think. It's only one tiny part of the picture. Fully consistent DNS only increases the level of trust you can have in the hostnames used. Since hostnames are supposed to be more stable than IP addresses, you _want_ to have more trust in the hostnames, but with current protocols you cannot unless there is full consistency between forward and reverse lookups.
Now if you check INADDR over Secure DNS, you might start having some level of information to trust.
We can only hope, but I'll believe it when I see it.
-- Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
[ On Wednesday, June 19, 2002 at 10:38:13 (-0400), Chris Woodfield wrote: ]
Subject: Re: ATTBI refuses to do reverse DNS?
If the people who "vote with their wallets" here are the ATTBI customers, don't forget that if you're not served by DSL, cable broadband is really the only good option for broadband access (I'm not counting satellite, with >1s ping times, or wireless, which is still in its infancy as a residential solution).
Sounds like an opportunity for some competing provider if you ask me, though as you say:
And rarely will you find a home anywhere in the US served by more than one cable company.
Was there not once upon a time there was a proposal to require cable-cos to provide what would effectively be layer-2 service to any IP provider? I think that requirement still stands in Canada, but until newer standards-compliant cable modems become more common it's "hard" to do and so nobody's doing it yet (and there is some whining on both sides). -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On Wed, 19 Jun 2002, Greg A. Woods wrote:
I think that requirement still stands in Canada, but until newer standards-compliant cable modems become more common it's "hard" to do and so nobody's doing it yet (and there is some whining on both sides).
Our local cable provider pitched an MPLS-based VPN service to us yesterday. Basicly, they would group, by the MAC of the DOCSIS-compliant cable modem, our remote users into a common Layer-2 bucket and tunnel them directly to us, where we would handle DHCP handouts for the PCs and routing. Of course, they then told it it was probably a year away and our interest sagged significantly.
Time Warner agreed to do so as a condition of the AOL merger. Most other cable companies are fighting this tooth and nail, and winning (see AT&T in Portland, Oregon). -C
Was there not once upon a time there was a proposal to require cable-cos to provide what would effectively be layer-2 service to any IP provider?
I think that requirement still stands in Canada, but until newer standards-compliant cable modems become more common it's "hard" to do and so nobody's doing it yet (and there is some whining on both sides).
-- Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
At 04:32 PM 6/19/02, Chris Woodfield wrote:
Time Warner agreed to do so as a condition of the AOL merger. Most other cable companies are fighting this tooth and nail, and winning (see AT&T in Portland, Oregon).
And in doing it, so far they seem to only be allowing the likes of Earthlink, not smaller providers. If anyone's got news to the contrary, I'd sure like to hear it.
-C
Was there not once upon a time there was a proposal to require cable-cos to provide what would effectively be layer-2 service to any IP provider?
I think that requirement still stands in Canada, but until newer standards-compliant cable modems become more common it's "hard" to do and so nobody's doing it yet (and there is some whining on both sides).
-- Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
At 04:32 PM 6/19/02, Chris Woodfield wrote:
Time Warner agreed to do so as a condition of the AOL merger. Most other cable companies are fighting this tooth and nail, and winning (see AT&T in Portland, Oregon).
And in doing it, so far they seem to only be allowing the likes of Earthlink, not smaller providers. If anyone's got news to the contrary, I'd sure like to hear it.
AOL/TW has authorized a smaller ISP (around 20,000 subscribers) in our area (central Wisconsin) to offer service over their cable network. Last I heard they were planning on a September start date.
-C
Was there not once upon a time there was a proposal to require cable-cos to provide what would effectively be layer-2 service to any IP provider?
I think that requirement still stands in Canada, but until newer standards-compliant cable modems become more common it's "hard" to do and so nobody's doing it yet (and there is some whining on both sides).
-- Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
-- Frank P. Tower NorthNet, LLC. Managing Director phone: 920.233.5641 email: frankt@northnet.net web: www.northnet.net
-----Original Message----- From: Chris Woodfield
If the people who "vote with their wallets" here are the ATTBI customers, don't forget that if you're not served by DSL, cable broadband is really the only good option for broadband access (I'm not counting satellite, with >1s
I couldn't resist jumping in here.... <lame_cable_customer> Why should I spend more money on DSL when 1.5M/300K Cable access is just $39/month? As an end user, surfing the web and using kazza, show me the value in paying more for rDNS. </lame_cable_customer> :) -Jim P. ping
times, or wireless, which is still in its infancy as a residential solution). And rarely will you find a home anywhere in the US served by more than one cable company.
In the referenced message, Daniel Senie said:
At 05:29 PM 6/18/02, Stephen Griffin wrote:
The lack of clue tends to be on the providing in-addr side of things. I think it is a great thing to refuse connections from ips without in-addr, in the same way it is great to refuse mail from domains that don't provide postmaster addresses.
It is a means through which one can influence the laziness of others. Simply disregarding what others do, only legitimizes the laziness, and continues us along the road of everyone doing the absolute minimum.
While I believe people SHOULD be providing INADDR service, the people hurt by refusing connections are rarely the ones who have any influence. Just as Network Address Translation is not a security solution, neither is checking INADDR. Now if you check INADDR over Secure DNS, you might start having some level of information to trust.
Who said anything about security? Some level of security may be a nice side-effect, but I wouldn't rely solely on ip addresses or dns for security. When used in conjunction with other things, it can certainly be just another tool in the bag to further weed out the chaff. Not something which provides proof-positive of good, but something that provies proof-positive of bad.
Simply accepting the connections seems to be a "path of least resistance" which befits a pointy-hair more than an engineer.
Well, this engineer also has customers to take care of. Those customers cannot easily influence ATT Broadband or ATT Wireless to do things "right". So, I choose to keep having customers rather than closing down my business over others not having INADDR.
Who, other than ATT themselves, has an easier time influencing ATT, than ATT customers? Do you: 1) Filter out RFC1918 addressed packets at your borders? 2) Filter long prefixes at your borders? 2a) Filter prefixes longer than RiR allocation boundaries? 3) Filter reserved, RFC1918, etc prefixes at your borders? 4) Perform RPF facing your customers? 5) Reject mail from open relays? 6) Reject mail from domains lacking postmaster/abuse role accounts? Any of these things is likely to make you lose a statistically low percentage of your customer-base. All of them are good for everyone in the long-run. The only one that is questionable is #6, but only because few people reject based upon this criteria. As the number increases, the overall clue gets dispersed, and the unfortunate collateral damage is reduced. An engineer would likely be looking to implement at least some of them. Someone who isn't interested in implementing any of them, I have a tough time considering to be an engineer. At least not in the idealogical sense. They would seem more to be a pointy-hair seeking to maximize short-term gains at any cost. At what point _do_ you draw a line in the sand and stop accepting the continual degradation in quality? Or should we resign ourselves to the Microsoft Mission, with ubiquitous crap that no one is willing to sacrifice for quality?
You neglect to include the option of the customer changing to an ISP that provides in-addr.
Please explain how a customer changes to another broadband vendor, or another CDPD vendor. Despite your company's presence in a limited number of markets, there are MANY people out there with only one choice (if they're lucky) for broadband. I'd be more likely to lose a customer than get them to change ISPs.
I would guess it would start with them looking at the businesses which provide service in their area. If all they want is the lowest cost provider, I would ponder the following: Cheap, Fast, Good, pick any two. There certainly are alternatives to Cheap, Fast, !Good providers. They may just be Cheap, !Fast, Good, or !Cheap, Fast, Good.
Thus spake "Stephen Griffin" <stephen.griffin@rcn.com>
The lack of clue tends to be on the providing in-addr side of things. I think it is a great thing to refuse connections from ips without in-addr, in the same way it is great to refuse mail from domains that don't provide postmaster addresses.
On first reading, I thought that was sarcasm. Now I realize you're serious.
It is a means through which one can influence the laziness of others. Simply disregarding what others do, only legitimizes the laziness, and continues us along the road of everyone doing the absolute minimum. ... You neglect to include the option of the customer changing to an ISP that provides in-addr.
So, if you ran Amazon.com, you wouldn't accept money from customers of clueless ISPs? Sadly, even that level of coercion wouldn't be anywhere near enough to motivate most ISPs. And your (non-)customers will be caught in the crossfire. S
On Tue, Jun 18, 2002 at 04:54:54PM -0500, Stephen Sprunk wrote:
Thus spake "Stephen Griffin" <stephen.griffin@rcn.com>
The lack of clue tends to be on the providing in-addr side of things. I think it is a great thing to refuse connections from ips without in-addr, in the same way it is great to refuse mail from domains that don't provide postmaster addresses.
On first reading, I thought that was sarcasm. Now I realize you're serious.
I've found that filtering out mail from people that have no reverse dns tends to typically point to a) open-relays, b) spam, c) lack of working abuse/postmaster.
It is a means through which one can influence the laziness of others. Simply disregarding what others do, only legitimizes the laziness, and continues us along the road of everyone doing the absolute minimum. ... You neglect to include the option of the customer changing to an ISP that provides in-addr.
So, if you ran Amazon.com, you wouldn't accept money from customers of clueless ISPs?
You can't do it on the store side, but you can do it on the residental customer side, or at least give those messages a higher level of attention in any overall spam score for a message.
Sadly, even that level of coercion wouldn't be anywhere near enough to motivate most ISPs. And your (non-)customers will be caught in the crossfire.
Anyone that sends e-mail to me from a host/server with no reverse dns I will not see. It is not rejected w/ 400/500 series code as I know some people do. it goes to it's own 'spam' folder. I have found that some companies (american express) for example can not seem to make their systems have reverse dns, and they suffer from the lack of a working postmaster/hostmaster address too. It just means i read that folder once every few days and periodically send e-mail to people i know that have hit the filter or other legit folks. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
[ On Tuesday, June 18, 2002 at 16:54:54 (-0500), Stephen Sprunk wrote: ]
Subject: Re: ATTBI refuses to do reverse DNS?
So, if you ran Amazon.com, you wouldn't accept money from customers of clueless ISPs?
Luckily Amazon.com and sites like it, and more importantly their customers, have the assurance of credit card banks to back up their transactions -- they don't really need any of this pesky Internet security B.S. to secure their transactions. -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
[ On Tuesday, June 18, 2002 at 17:29:18 (-0400), Stephen Griffin wrote: ]
Subject: Re: ATTBI refuses to do reverse DNS?
The lack of clue tends to be on the providing in-addr side of things. I think it is a great thing to refuse connections from ips without in-addr, in the same way it is great to refuse mail from domains that don't provide postmaster addresses.
Providing or not providing reverse DNS is not really the central issue here -- it is whether the reverse DNS is correct, i.e. consistent with the "forward" hostnames, or not, that really matters. Usually it's better to have no reverse DNS at all than to have broken reverse DNS. I agree though it's much better to always have correct reverse DNS! ;-) -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
Most providers provide some kind for forward/reverse mapping, including ATTBI. Often, however, they do provide customized reverse mapping (ie, myhost.mydomain.com). That may be where the disconnect. I believe that ATTBI has a script that auto-generates forward/reverse mappings on a regular basis. You client may be just in a waiting period before the problem corrects itselft. On Tue, 18 Jun 2002, Lou Katz wrote:
A client of mine just discovered that he could no longer do ftp transfers to my machine. His IP address had changed to one in 12.240.20 and there is no reverse DNS for that block. His previous assignment was in a totally different block which did have reverse DNS. Calls to ATTBI got the answer that they are not obligated to provide reverse DNS and have no plans to do so. My servers refuse connections when there is no reverse lookup.
Is this common?
GAH! Sorry, bad typo. On Tue, 18 Jun 2002, Robert A. Hayden wrote:
Most providers provide some kind for forward/reverse mapping, including ATTBI. Often, however, they do provide customized reverse mapping (ie,
^^ do not
myhost.mydomain.com). That may be where the disconnect.
I believe that ATTBI has a script that auto-generates forward/reverse mappings on a regular basis. You client may be just in a waiting period before the problem corrects itselft.
participants (12)
-
brett watson -
Chris Woodfield -
Daniel Senie -
David Schwartz -
Frank P. Tower -
Jared Mauch -
Jim Popovitch -
Lou Katz -
Robert A. Hayden -
Stephen Griffin -
Stephen Sprunk -
woods@weird.com