[fw-wiz] multiple reverse PTRs and fqdn-based ACLs

From: ark@eltex.ru
Date: 12/16/02

• Next message: Daniel Linder: "Re: [fw-wiz] Stats on how common NAT is?"
• Previous message: David Lang: "RE: [fw-wiz] Corporate H/N IPS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: ark@eltex.ru
To: firewall-wizards@honor.icsalabs.com
Date: Mon Dec 16 08:29:19 2002

nuqneH,

Looks like some tools designed to keep forward and reverse zones in sync
do create multiple reverse records. That was not widely accepted practice
for years (though RFC that states the situation should be handled correctly
exists since 1997) and many fqdn-based acl implementations (including mine ;)
did not browse alias list for possible matches. Even more, some dns caching
engines do cache one reverse record only.

What do you think is preffered behavior? Restrict PTRs to one reverse record
per IP only or to fix everything that is broken (and to cause significant
increase of DNS traffic volume). I do both now ;-)

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

• Next message: Daniel Linder: "Re: [fw-wiz] Stats on how common NAT is?"
• Previous message: David Lang: "RE: [fw-wiz] Corporate H/N IPS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint