Wildcards in reverse DNS

Sten Carlsen ccc2716 at vip.cybercity.dk
Sun Jan 7 21:36:34 UTC 2007


Mark Andrews wrote:
>> I really don't see why people insist that they need port / address
>> translation.
>>>>>       
>>>>>           
>>>> I don't necessarily want that, I want the effects that it gives in an
>>>> IPv4 network. Isolation and hiding. If other mechanisms, not known in
>>>> IPv4 networks, can provide that, it is fine with me.
>>>>     
>>>>         
>>> NAT breaks NTP authentication, among other things. I wouldn't be
>>> surprised if it also breaks DNSSEC.
>>>   
>>>       
>> I don't see NAT as the wondercure of all times. It breaks a number of
>> things, but it also by default breaks access to internal PCs that should
>> not be accessible from outside. I.e. the default is that automatic
>> probes will miss the unprotected systems; one less infection risk. It
>> does not provide real protection against real attacks, a correctly
>> configured firewall would to a much higher degree.
>>
>> NAT has good and bad sides. For most private users I will say that the
>> good sides outweigh the bad sides, YMMV.
>>     
>
> 	An a stateful firewall will do exactly the same thing.
> 	A nat is a stateful firewall + port/address modification.
> 	Unless you are doing one-to-one NAT, a nat box has to keep
> 	state to enable it to send packets back to the originating
> 	host.  That is a super-set of the state a stateful firewall
> 	would have to provide exactly the same protection.
>
>   
>> I am not thinking about sites with a dedicated and knowledgeable system
>> administrator, here I can expect understanding and proper setup. I am
>> thinking about all the ADSL connections where people hardly will be
>> aware of what things they have that can acess the net in the future.
>>     
> Many of the botnets today are created by using automatic probes that infect unprotected PCs without users knowing about it.
>
> Any small router you buy for about $50 will by default make access by
> automatic probes impossible, you have to manually misconfigure it to
> have that risk.
>   
>
> 	No.  A router does not do that.  A router w/ firewall does than.
> 	A route w/ NAT does that.  A router add zero protection.
>
> 	This is a classic case of the consumer no knowing what is
> 	being sold to them.
>   
True, I was thinking about routers with NAT, as far as I know all
routers sold today at about $50 do include NAT. They are all designed to
allow more than one computer to connect via an ADSL-connection, so NAT
is needed for that. Meaning that all small routers include NAT with what
is now a standard setup.
>  
>   
>> The knowledge and effort it takes to setup a firewall is much greater
>> than what I expect the normal ADSL user to have. I expect many of the
>> future appliances to try to open a hole in the firewall for themselves
>> so they can communicate with their maker for updates and market
>> research, also opening for hackers, I will not expect the things to
>> allow me to set their network configuration manually the risk of me
>> breaking what the manufacturer wants to do is far too big; will future
>> botnets be composed from refrigerators?
>>     
>
> 	What a load of hogwash.  SOHO NAT vendors could easily make a
> 	equivalent SOHO firewall with almost the same gui as the NAT
> 	box (default out any keep-state, in none).
>   
Yes they could, have you seen one yet? I remember the time it took for
them to grasp the NAT and do that correctly (well mostly). My point is
that during the transition we will see a lot of "interesting" solutions.
>   
>   
>>>>> 	If you don't want there to be any path to the equipment
>>>>> 	don't let it use a global prefix.  Use a link local or a
>>>>> 	locally assigned local addresses if you have more than one
>>>>> 	internal network.
>>>>>   
>>>>>       
>>>>>           
>>>> Does that mean that a local DHCP server is needed? Or is a fixed address
>>>> the best way?
>>>>         
>
> 	DHCP can provide fixed or dynamic addresses.  It's all a matter
> 	of configuration.  For IPv6 you have the choice of fixed, DHCP
> 	(fixed or dynamic) or autoconf (unknown fixed).  Autoconf also
> 	handles adding or removal of prefixes.
>   
Yes, what options will the refrigerator manufacturers include?
>   
>>>> This is an example of what could be the misunderstandings that create
>>>> this kind of debate, it also underlines that the transition is NOT
>>>> simple as has been said.
>>>>     
>>>>         
>>> It really is that simple. Programmers have so substitute some slightly
>>> different functions and structures for the old IPv4 only structures but
>>> the new ones handle both transparently.
>>>   
>>>       
>> I was thinking of normal peoples understanding, not programmers or
>> admins. I worry that in too many cases functionality comes before
>> security; everything works by default and you have to close holes by
>> yourself, not the other way round. Windows is a good example for all to
>> follow it would seem; functions break holes in firewalls if they want
>> them without asking users already now.
>>     
Basically what options are available and meant to be used will not
always be the ones actually used. Those who implement network units will
listen more to he, who pays the bill than to those who wrote the standards.


Let us close this discussion at least on this list, what ever we say,
things are not changing because of that. I believe we have all gained a
little knowledge about other sides of things, let's try to use that to
make things actually work.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 



More information about the bind-users mailing list