Wildcards in reverse DNS

Marc Haber mh+bind-users at zugschlus.de
Fri Jan 5 20:42:35 UTC 2007

On Fri, Jan 05, 2007 at 10:31:23AM -0800, Clenna Lumina wrote:
> > On Thu, Jan 04, 2007 at 02:24:11PM -0800, Clenna Lumina wrote:
> > > Mark Andrews wrote:
> > > > For those of you who think NAT's are great try connecting
> > > > to a port forwarded service from behind a NAT.  I've yet
> > > > to see a NAT box do this right.  The NAT box should be
> > > > able to loop the traffic around.  Instead we are forced
> > > > to kludge solutions to this in the DNS.
> > >
> > > No, a *properly* behaving NAT should always allow looping
> > > back. If you are running a NAT that doesn't allow this,
> > > then it is broken. You cannot put down NAT just because
> > > of broken implimentations.
> >
> > Just show me how to do IPSEC AH via NAT. Or how to connect
> > to a service that does RFC1413 ident lookups and actually does
> > something with the returned value.
> My last company I worked for was running IPSEC (VPN, etc) through their 
> (properly) NATed firewall without any problems.

I guess that this was IPSEC tunnel mode. I specifically asked for
IPSEC AH for a reason.

>  Again, this is a difference between poor implimentations and the
>  concept your self.  You're attacking the wrong one here.

I am obviously "attacking" somebody who considers herself able to
judge things that she has not the necessary background knowledge
about. "It just works for me" is not enough.

> > Even trying to have a mail server HELO with the right host
> > name, regardless of whether the machine connected to is on the
> > internal or an external network, is a challenge if NAT is in
> > the game.
> I can't say I've ever seen that be a problem behind a NAT.

Then you need to be around the block a few more times.

>  The HELO is usually generated by the address of the server the
>  connecitng mail server is trying to reach,

No. Please read the RFCs before you continue embarrassing yourself
even more.

>  so if it's generating a bad HELO, then thats the fault of the foreign
>  mail server, which is likely not configured correctly to begin with.
> My personal mail server which sits behind my home NAT, has never faield 
> to get a proper HELO from proper foreign hosts.

It's the connecting server who says HELO, not the server connected to.

> Just to clear something up, when I said "turn your network world upside 
> down" I mean in the way you think about IP addresses and the like, will 
> be radically different. You can't tell me that 
>  is the same as typing 
> out  111.222.333.444  , be it in geenral speak or entering into a conf 
> file or passing along an IP to a friend for setting up a friendly 
> private Quake match.

::1 is even shorter than

and 2001:1b18:f:4::4/128 is not _that_ bad. Yes, that's an actually
workin address.

> Can you really tell me you can easily remember an address that long? I 
> can remebmer a 4 section IP with out any trouble. Remembering an IPv6 
> address might be possible, no doubt, but you'd likely have to known it 
> rather well, and have a rather good memory.

If DNS is properly used, you don't need to remember IPv6 addresses.
And, usually, you only need to remember the prefix anyway.

> Actually a couple years ago, after hearing about IPv4 address slowly 
> becoming scarce, I actually sort of invisioned IPv4 being expanded in a 
> similar way telephone numbers were introduced into area codes (and 
> country codes) to furthur divide things. What I envisioned then was 
> anywhere for 1 to 4 extra sections (8 byte IPs.)

Very good idea. Just another migration in ten years. I know people who
have gone through four phone numbers in three different area codes in
the last fifteen years.

Geez, this is _one_ thing that we germans did right. No splits, no
overlays. Only newly assigned numbers get longer. This is based on the
convenient fact that our number length was never fixed in the first
place, and we started making them longer long before the existing
space was depleted so that we had ample _new_ number space to put into
use which saved us from doing the splits.

> When I first saw an IPv6, it immediately looked like over kill. Like I 
> said, I will be trying it on my own local network to get a real feel for 
> it. On this note, are there any good documents out ther that describe 
> what the general conventations are for IPv6 IPs? FOr instance, in IPv4, 
> 192.168/16, 172.16/12, 10/8, are considered LAN-only IP blocks, 127/8 being loopback block. 

http://en.wikipedia.org/wiki/Ipv6 seems pretty good to me.


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the bind-users mailing list