[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: opened OpenSSL port

> Chris Davies a écrit :
>> /etc/hosts.allow could provide a level of protection for names matching,
>> e.g. "*.dyndns.org".

Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> This won't work, because usually the reverse DNS is not in *.dyndns.org.
> somename.dyndns.org -> IP address -> some other name defined by the ISP.

Interesting, that one. I don't use hosts.allow myself - but it's
frequently recommended by others. It's not at all clear (to me) from
the man page that the canonical name must be provided in hosts.allow,
but empirically it appears that this indeed is the case.

Arguably, this is less than optimal from a user-centric
perspective. (Consider a host with multiple A records, perhaps a
well-connected web server running a number of vHosts. It seems to me
that it would make more sense to do a forward DNS lookup on a name
(where possible) and match the resulting set of addresses against the
incoming IP. Ineffective on domain matching, but surely useful for
host-based matching?)


Reply to: