[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 10:17:22PM +0200, Robert van der Meulen wrote:
> Quoting Andrew Pimlott (andrew@pimlott.ne.mediaone.net):
> > PARANOID is there for people who want to do DNS hostname based
> > authentication and have it be slightly less broken.  That's it.  Can
> > anyone else document a real case in which denying based on PARANOID
> > helped?
> There is no such thing as DNS hostname based authentication.
> Can you give an example where you would want to allow access from an
> inconsequently configured machine, that is run by someone who doesn't know
> how to configure DNSs ?
> The PARANOID setting helps in 'pushing' people to do correct DNS
> configuration, it helps auditing, it keeps your (and others') networks in a
> consequent and (DNS-wise) correctly configured state.
> If removing the 'ALL: PARANOID' line fixes things for you, or makes life
> easier for you, you should look into configuring your servers first, before
> requesting a workstation install that allows for access by broken
> machines.
> Machines with broken DNS should not be allowed to connect anyway, but should
> either be fixed, and in the remote possibility that you do want to allow
> access from broken machines, the admin can alter /etc/hosts.deny.

Most of us don't have control over our dns records. Wich are under control of fascist Telecomunication Megacorporations such as Telefonica.

> Greets,
> 	Robert
Pedro Larroy Tovar. PiotR | http://omega.resa.es/piotr/

Reply to: