Home page logo
/

nanog logo nanog mailing list archives

Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
From: Valdis.Kletnieks () vt edu
Date: Tue, 15 May 2001 10:18:55 -0400

On Mon, 14 May 2001 23:18:09 PDT, Adam McKenna <adam () flounder net>  said:
It does hurt.  It causes non-obvious problems.  Forcing hostnames and PTR's
to match (commonly referred to as PARANOID checking) does not provide extra
security, it just prevents people with badly configured DNS from accessing
your servers.

I once did a similar check in a Sendmail configuration, and found it to be
incredibly useful in reducing the spam load without significantly impacting
actual traffic.

There's a second-order effect here - the sort of clueless ISP that is unable
to get a PTR entry correct is *ALSO* the sort of clueless ISP that is very
likely unable to detect/eliminate hacker/spammer/etc nests in their address
space.

You of course need to be sure that your *own* DNS is rock-solid and up to
date (although our departmental network liaisons that maintain their zones
have learned that Things Will Not Work if they don't do it right ;).  You
also need to apply the usual skepticism for results - there *could* be a
temporary outage, for instance.

It's *NOT* a security measure to deploy by itself.  It's however useful as
Yet Another Part of a Complete and Balanced Security Breakfast... ;)

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault