Re: /etc/hosts and resolving of the local host/domainname - 127.0.0.1 vs. 127.0.1.1
Christoph Anton Mitterer <calestyo@scientia.net> writes:
> On Tue, 2013-07-30 at 14:25 -0700, Russ Allbery wrote:
>> We (Stanford) strip them out in FAI. We can, of course, continue to do
>> that, but I thought I'd mention it as a data point. If you have stable
>> DNS, you really don't want to have another shadow source of IP to host
>> mapping on local disk; it's almost certain to cause you problems later.
> Well so long you have services, which depend on the host resolving to
> it's local address (whatever that is)...
...it will break horribly when you have an IP address in /etc/hosts that's
no longer the host's IP address. Which is the point.
> it think it can have security impacts if you leave that information up
> to some other server (e.g. your DHCP).
If you trust DNS, you trust DNS. If you don't trust DNS, putting the
local host's IP address in /etc/hosts is just the start of your
remediation. You had better also put in every other host that host cares
about, and you generally have a much more comprehensive problem. Putting
the local hostname into /etc/hosts is neither necessary nor sufficient,
and therefore basically useless.
> Consider an application which only accept packets originating from
> <hostname> as a security measure.. if the DNS server goes evil... than
> that might be used by an attacker.
And this static file will not help you in the slightest against that
attack, since no host is only going to accept packets from itself, and the
attacker can just spoof one of those other possible source hostnames.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: