Wildcards in reverse DNS

Mark Andrews Mark_Andrews at isc.org
Sun Jan 7 20:43:00 UTC 2007


> Danny Mayer wrote:
> > Sten Carlsen wrote:
> >   
> >> Mark Andrews wrote:
> >>     
> >>> 	This is a classic example of applying a IPv4 solution to a
> >>> 	IPv6 network.
> >>>   
> >>>       
> >> This is very likely, it probably takes some time and effort with the
> >> thing in real life too get a feel for what is possible and what is
> >> "natural" for any new system. This underlines that transition from IPv4
> >> to IPv6 is not just more bits, but rather completely new ways to think.
> >>     
> >>> 	I really don't see why people insist that they need port /
> >>> 	address translation.
> >>>       
> >> I don't necessarily want that, I want the effects that it gives in an
> >> IPv4 network. Isolation and hiding. If other mechanisms, not known in
> >> IPv4 networks, can provide that, it is fine with me.
> >>     
> >
> > NAT breaks NTP authentication, among other things. I wouldn't be
> > surprised if it also breaks DNSSEC.
> >   
> I don't see NAT as the wondercure of all times. It breaks a number of
> things, but it also by default breaks access to internal PCs that should
> not be accessible from outside. I.e. the default is that automatic
> probes will miss the unprotected systems; one less infection risk. It
> does not provide real protection against real attacks, a correctly
> configured firewall would to a much higher degree.
> 
> NAT has good and bad sides. For most private users I will say that the
> good sides outweigh the bad sides, YMMV.

	An a stateful firewall will do exactly the same thing.
	A nat is a stateful firewall + port/address modification.
	Unless you are doing one-to-one NAT, a nat box has to keep
	state to enable it to send packets back to the originating
	host.  That is a super-set of the state a stateful firewall
	would have to provide exactly the same protection.

> >> For some things I want that they can initiate a connection to the net,
> >> but are hidden so NO connection can be made from the outside to those
> >> devices. How can that be achieved without NAT in an IPv6 system?
> >>     
> >>>   A statefull firewall is just as good
> >>> 	at providing protection and doesn't have the down sides
> >>> 	introduced as a side effect of the port / address translation.
> >>>   
> >>>       
> >> I will take your word for that, I still feel there might be more risk.
> >> That could be missing time and effort on my side. On the other side that
> >> suggests a lot of misconfigured firewalls in the future until people
> >> learn how to do it. "A hackers paradise"?
> >>     
> >
> > Nothing is going to fix misconfigured firewalls except the people
> > responsible for maintaining them. If the firewall is misconfigured don't
> > expect the NAT to be set up properly either. This very much sounds like
> > security by ignorance. How are you safer?
> >   
> I am not thinking about sites with a dedicated and knowledgeable system
> administrator, here I can expect understanding and proper setup. I am
> thinking about all the ADSL connections where people hardly will be
> aware of what things they have that can acess the net in the future.
Many of the botnets today are created by using automatic probes that
> infect unprotected PCs without users knowing about it.
> 
> Any small router you buy for about $50 will by default make access by
> automatic probes impossible, you have to manually misconfigure it to
> have that risk.

	No.  A router does not do that.  A router w/ firewall does than.
	A route w/ NAT does that.  A router add zero protection.

	This is a classic case of the consumer no knowing what is
	being sold to them.
 
> The knowledge and effort it takes to setup a firewall is much greater
> than what I expect the normal ADSL user to have. I expect many of the
> future appliances to try to open a hole in the firewall for themselves
> so they can communicate with their maker for updates and market
> research, also opening for hackers, I will not expect the things to
> allow me to set their network configuration manually the risk of me
> breaking what the manufacturer wants to do is far too big; will future
> botnets be composed from refrigerators?

	What a load of hogwash.  SOHO NAT vendors could easily make a
	equivalent SOHO firewall with almost the same gui as the NAT
	box (default out any keep-state, in none).
  
> >>> 	If you don't want there to be any path to the equipment
> >>> 	don't let it use a global prefix.  Use a link local or a
> >>> 	locally assigned local addresses if you have more than one
> >>> 	internal network.
> >>>   
> >>>       
> >> Does that mean that a local DHCP server is needed? Or is a fixed address
> >> the best way?

	DHCP can provide fixed or dynamic addresses.  It's all a matter
	of configuration.  For IPv6 you have the choice of fixed, DHCP
	(fixed or dynamic) or autoconf (unknown fixed).  Autoconf also
	handles adding or removal of prefixes.

> >> This is an example of what could be the misunderstandings that create
> >> this kind of debate, it also underlines that the transition is NOT
> >> simple as has been said.
> >>     
> >
> > It really is that simple. Programmers have so substitute some slightly
> > different functions and structures for the old IPv4 only structures but
> > the new ones handle both transparently.
> >   
> I was thinking of normal peoples understanding, not programmers or
> admins. I worry that in too many cases functionality comes before
> security; everything works by default and you have to close holes by
> yourself, not the other way round. Windows is a good example for all to
> follow it would seem; functions break holes in firewalls if they want
> them without asking users already now.
> >   
> >>> 	Remember a IPv6 node will often have 3 or more addresses
> >>> 	on each NIC.
> >>>   
> >>>       
> >> That worries me a bit, I guess that will resolve itself as IPv6 becomes
> >> more common in discussions.
> >>     
> >
> > Why? The different addresses just make routing easier.
> >   
> That is both good and bad, see above.
> > Danny
> >   
> 
> 
> -- 
> Best regards
> 
> Sten Carlsen
> 
> No improvements come from shouting:
> 
>        "MALE BOVINE MANURE!!!" 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list