Wildcards in reverse DNS

Sten Carlsen ccc2716 at vip.cybercity.dk
Sun Jan 7 11:31:26 UTC 2007


Danny Mayer wrote:
> Sten Carlsen wrote:
>   
>> Mark Andrews wrote:
>>     
>>> 	This is a classic example of applying a IPv4 solution to a
>>> 	IPv6 network.
>>>   
>>>       
>> This is very likely, it probably takes some time and effort with the
>> thing in real life too get a feel for what is possible and what is
>> "natural" for any new system. This underlines that transition from IPv4
>> to IPv6 is not just more bits, but rather completely new ways to think.
>>     
>>> 	I really don't see why people insist that they need port /
>>> 	address translation.
>>>       
>> I don't necessarily want that, I want the effects that it gives in an
>> IPv4 network. Isolation and hiding. If other mechanisms, not known in
>> IPv4 networks, can provide that, it is fine with me.
>>     
>
> NAT breaks NTP authentication, among other things. I wouldn't be
> surprised if it also breaks DNSSEC.
>   
I don't see NAT as the wondercure of all times. It breaks a number of
things, but it also by default breaks access to internal PCs that should
not be accessible from outside. I.e. the default is that automatic
probes will miss the unprotected systems; one less infection risk. It
does not provide real protection against real attacks, a correctly
configured firewall would to a much higher degree.

NAT has good and bad sides. For most private users I will say that the
good sides outweigh the bad sides, YMMV.
>   
>> For some things I want that they can initiate a connection to the net,
>> but are hidden so NO connection can be made from the outside to those
>> devices. How can that be achieved without NAT in an IPv6 system?
>>     
>>>   A statefull firewall is just as good
>>> 	at providing protection and doesn't have the down sides
>>> 	introduced as a side effect of the port / address translation.
>>>   
>>>       
>> I will take your word for that, I still feel there might be more risk.
>> That could be missing time and effort on my side. On the other side that
>> suggests a lot of misconfigured firewalls in the future until people
>> learn how to do it. "A hackers paradise"?
>>     
>
> Nothing is going to fix misconfigured firewalls except the people
> responsible for maintaining them. If the firewall is misconfigured don't
> expect the NAT to be set up properly either. This very much sounds like
> security by ignorance. How are you safer?
>   
I am not thinking about sites with a dedicated and knowledgeable system
administrator, here I can expect understanding and proper setup. I am
thinking about all the ADSL connections where people hardly will be
aware of what things they have that can acess the net in the future.
Many of the botnets today are created by using automatic probes that
infect unprotected PCs without users knowing about it.

Any small router you buy for about $50 will by default make access by
automatic probes impossible, you have to manually misconfigure it to
have that risk.

The knowledge and effort it takes to setup a firewall is much greater
than what I expect the normal ADSL user to have. I expect many of the
future appliances to try to open a hole in the firewall for themselves
so they can communicate with their maker for updates and market
research, also opening for hackers, I will not expect the things to
allow me to set their network configuration manually the risk of me
breaking what the manufacturer wants to do is far too big; will future
botnets be composed from refrigerators?
>   
>>> 	If you don't want there to be any path to the equipment
>>> 	don't let it use a global prefix.  Use a link local or a
>>> 	locally assigned local addresses if you have more than one
>>> 	internal network.
>>>   
>>>       
>> Does that mean that a local DHCP server is needed? Or is a fixed address
>> the best way?
>> This is an example of what could be the misunderstandings that create
>> this kind of debate, it also underlines that the transition is NOT
>> simple as has been said.
>>     
>
> It really is that simple. Programmers have so substitute some slightly
> different functions and structures for the old IPv4 only structures but
> the new ones handle both transparently.
>   
I was thinking of normal peoples understanding, not programmers or
admins. I worry that in too many cases functionality comes before
security; everything works by default and you have to close holes by
yourself, not the other way round. Windows is a good example for all to
follow it would seem; functions break holes in firewalls if they want
them without asking users already now.
>   
>>> 	Remember a IPv6 node will often have 3 or more addresses
>>> 	on each NIC.
>>>   
>>>       
>> That worries me a bit, I guess that will resolve itself as IPv6 becomes
>> more common in discussions.
>>     
>
> Why? The different addresses just make routing easier.
>   
That is both good and bad, see above.
> Danny
>   


-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 



More information about the bind-users mailing list