Re: xinetd /etc/host.deny ALL:PARANOID

To: debian-isp@lists.debian.org, debian-user@lists.debian.org
Subject: Re: xinetd /etc/host.deny ALL:PARANOID
From: Nathan E Norman <nnorman@micromuse.com>
Date: Thu, 10 Jan 2002 22:01:30 -0600
Message-id: <[🔎] 20020111040130.GE25195@micromuse.com>
Mail-followup-to: debian-isp@lists.debian.org, debian-user@lists.debian.org
In-reply-to: <[🔎] 20020111002908.GP19785@fishbowl.madduck.net>
References: <[🔎] 002d01c199e4$e884e020$0507e0c2@ene.es> <[🔎] 20020111092345.C19037@sammo.gnubies.com> <[🔎] 20020110231113.GD19785@fishbowl.madduck.net> <[🔎] 20020110235842.GA7887@melina.ds14.agh.edu.pl> <[🔎] 20020111002908.GP19785@fishbowl.madduck.net>

On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> i think you need to know exactly what this checks to get a clue...
> 
> first, the IP is taken and reverse-resolved to a domain name. then the
> domain name is resolved to an IP. if that IP doesn't match, it'll DENY.
> 
> now if 1.2.3.4 were to point to mail.madduck.net, but mail.madduck.net
> points to 1.2.3.5, then that's obviously a problem, or indication of an
> error status, or a hint at a hack/spoof attack... until you realize what
> BIND and others do with simply RR load-balancing:
> 
> zone IN 3.2.1.in-addr.ARPA:
> 
>   4 IN PTR mail.madduck.net
>   5 IN PTR mail.madduck.net
> 
> zone IN madduck.net
> 
>   mail.madduck.net IN A 1.2.3.4
>                    IN A 1.2.3.5
> 
> 
> now repeated queries for the A record of mail.madduck.net will return
> both IPs alternatingly. now think about why this would cause a problem.

Congratulations ... you just set up your DNS incorrectly.  Every PTR
entry should resolve to a _unique_ name, and that name should resolve
to a _unique_ IP.  That doesn't mean you can't have additional A
records doing load balancing. 

zone IN 3.2.1.in-addr.ARPA:

  4 IN PTR host4.netblk1-2-3.madduck.net.
  4 IN PTR host5.netblk1-2-3.madduck.net.

zone IN netblk1-2-3.madduck.net:

  host4.netblk1-2-3.madduck.net. IN A 1.2.3.4
  host5.netblk1-2-3.madduck.net. IN A 1.2.3.5

zone IN madduck.net:

  mail.madduck.net. IN A 1.2.3.4
                    IN A 1.2.3.5

Not all A records need PTR records.  It never fails to amaze me how
many people don't understand this.

All the people who say "but I don't control the reverse for my IP(s)"
don't understand the issue ... it's up to the registered contact for
the block to make sure reverse resolution works.  Of course that means
resolving to A records that the contact also controls.  This is all
spelled out in the RFCs and best practice documents.

Having said that, I know there are plenty of retarded netblock owners
out there.

-- 
Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Ltd.                 | than a perfect plan tomorrow.
mailto:nnorman@micromuse.com   |   -- Patton

Attachment: pgpomEmsIhVZ8.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: xinetd /etc/host.deny ALL:PARANOID
  - From: martin f krafft <madduck@madduck.net>
- Re: xinetd /etc/host.deny ALL:PARANOID
  - From: Christian Kurz <shorty@debian.org>

References:
- xinetd /etc/host.deny ALL:PARANOID
  - From: "Davi Leal" <david.leal@ene.es>
- Re: xinetd /etc/host.deny ALL:PARANOID
  - From: Sam Varghese <sam@gnubies.com>
- Re: xinetd /etc/host.deny ALL:PARANOID
  - From: martin f krafft <madduck@madduck.net>
- Re: xinetd /etc/host.deny ALL:PARANOID
  - From: Marcin Owsiany <porridge@debian.org>
- Re: xinetd /etc/host.deny ALL:PARANOID
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: xinetd /etc/host.deny ALL:PARANOID
Next by Date: Re: xinetd /etc/host.deny ALL:PARANOID
Previous by thread: Re: xinetd /etc/host.deny ALL:PARANOID
Next by thread: Re: xinetd /etc/host.deny ALL:PARANOID
Index(es):
- Date
- Thread