nslookup from WinNT machine

Joseph S D Yao jsdy at cospo.osis.gov
Thu May 31 00:20:42 UTC 2001


OK,

 #####  ####### ####### ######            ###   #######           ###     ###
#     #    #    #     # #     #            #       #              ###     ###
#          #    #     # #     #            #       #              ###     ###
 #####     #    #     # ######             #       #               #       #
      #    #    #     # #                  #       #
#     #    #    #     # #                  #       #              ###     ###
 #####     #    ####### #                 ###      #              ###     ###

Brad, Kevin, go off to your corners.  Take a long, slow drink of COLD
water.  Go back and re-read what you have written.  Consider whether
apologies might be in order.  (I can't prescribe this for you.)

This thread started in this direction when Kevin mused that he wasn't
sure that PTR records were worth the trouble of maintaining.

When I teach first aid, I tell people that the first thing to say when
calling 911 is, "Hello, my name is ...", and to give their own name.
Why?  This surely is not strong authentication!  But it gives the 911
dispatcher some SMALL feeling of credence in the caller.  He or she
will certainly not use this to totally discount the possibility of a
false alarm.  But he or she may take note of the COURTESY, and listen a
bit more closely.  In fact, since I also volunteer on the other side of
the fence, I will say that often he or she WILL.

Now, reverse-DNS PTR records are also a COURTESY.  The use of them in
the in-addr.arpa. name tree gives one way of introducing yourself when
you contact another person.  The IP packet contains a "from" IP address
- spoofable, true, but at the moment the IP packet arrives, and before
any strong cryptography comes into play, it's the only information the
remote machine has on me.  It can look up my name from that.  If it's
clever, it will see whether the forward-DNS lookup and the reverse-DNS
lookup can be made to match.

And then it can do whatever it darn well pleases with the information.

If it foolishly chooses to use that as strong authentication, then so
much the worse for it.  One of these days - once out of a million times
- it will be fooled, and it will die or be "owned".  But, you know,
BOTH of the main participants in this argument strongly argued AGAINST
doing this.  Even though it's hard to spoof a reverse-DNS lookup, it's
not impossible.

If it decides to take the LACK of a name as a "red flag" - well, that
sounds appropriate, don't you think?  If I knock on your door, and you
say, "Who is it?" ... and I don't answer ... wouldn't you take that as
an indicator that something is not right here in Belgium?  (Actually,
there in Belgium ... or Detroit ...)  It can then decide how MUCH of a
red flag this is.

And many spammers certainly do come in from systems without PTR names.
This is a definite statistical trend for those not industrious enough
to go out and find one of the copious third-party relay machines.  And
I myself, personally, have no problems excluding recipients on that
criterion.  But what I might do instead is have such folks alert me
when such e-mail arrives.  IMPRACTICAL if 25% of hundreds of millions
of addresses arrive that way!  But different situations differ.

After noting this "red flag", of course, it should also make use of all
the more-secure techniques that there are of authenticating the
packet's contents.  IF the packet's contents warrant the expense.  Or
not, if they don't.

If something does come in that's bad, and a reverse DNS record is
there, then I can trace it back to determine whether the named site is
actually the perpetrator.  Without that, it's a lot harder.  And I may
be able to alert a hacked site that he is "owned" by someone else.

Now, it's just COURTESY that has me keep up my reverse DNS, and ask
that others doing legitimate business over some internet or other do
the same.

But isn't COURTESY enough of a good reason?

Let's all please COURTEOUSLY consider this.

Thank you.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
OSIS Center Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.


More information about the bind-users mailing list