Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!ucsd!ucbvax!EE.ROCHESTER.EDU!deke From: deke@EE.ROCHESTER.EDU (Dikran Kassabian) Newsgroups: comp.protocols.tcp-ip.domains Subject: Re: no inverse mappings Message-ID: <9008141419.AA03517@socrates.ee.rochester.edu> Date: 14 Aug 90 14:19:43 GMT Sender: daemon@ucbvax.BERKELEY.EDU Distribution: inet Organization: The Internet Lines: 171 In <1990Aug10.152144.17260@ee.rochester.edu> I asked about handling connection requests from addresses that my nameserver can't inverse map to a hostname. We've seen quote a lot of responses to my original post. Its an old subject, I know, but I wanted to hear some new perspectives on it. I thank everyone for sharing their point of view. There seems not to be an objective Right or Wrong, but rather many opinions expressed. I quote several here -- although edited, I have attempted to take nothing out of context. ------------ In email message <9008102044.AA22223@uunet.uu.net> Andrew Partan writes: > > We refuse connections from sites without an in-addr.arpa domain by > replying: > Can't map to a valid hostname. > We only allow ftp from recognized sites. > Get your system administrator to fix your domain servers. > > and then send them attached mail if they complain. > > [ form letter deleted ] Andrew, I hope you don't mind my quoting your mail here. It seems directly relevant. I mentioned this sort of thing in my original post. Not surprisingly, I got the idea from uunet in the first place. ------------ In <789@malgudi.osc.edu> Kannan Varadhan writes: > > somehow, it seems to go against our grain of "be conservative in > what you do, be liberal in what you accept from others"[%] policy. > > I have come across a lot of people who try very hard, but don't always > succeed in getting things right, or have a lot of trouble understanding > the concept. Penalising them in this rather harsh manner seems > somewhat rude to me, and may not be quite the way to coerce people to > use the DNS, or to get them to straighten out their end of things. > >[%] Quote from RFC793, by Jon Postel. ------------ In Bob Sutterfield writes: > > I'd rather see a few sites with misconfigured inverse mappings > becoming temporarily inconvenienced, than the entire world thrown into > a tailspin because some yahoo laid UUNET low via a security hole that > could have been avoided by disallowing non-inverse-mapped access. ------------ In <739@logicon.com> Jeff Makey writes: > > Bob, I hope you aren't really so naive as to believe that inverse > mappings are somehow secure, that the mere existence in some > resolver's cache of an .IN-ADDR.ARPA record for an internet address > means that activity apparently emanating from such an address can > always be traced to the person responsible. I dunno. It depends on your intentions. I'm not looking for strict authentication, I just want to know for the most part who is on the other end of the line. When some sales critter calls me up and says it's representing Yoyodyne International, I (perhaps foolishly :-) believe it. It's at least tried to identify itself. If it called me and asked me all sorts of questions, and yet *refused* to identify itself (or wasn't able), I'd be less inclined to stay on the line. > The idea that "the entire world" depends upon uunet is pretty amusing. > It bothers me that I didn't see any smileys nor any hint that they > were implied. :-) You just couldn't see my face from where you were sitting. I was smiling. I have no idea whether Bob was, too. But a swamped or comatose uunet would certainly affect lots of people, although I agree it would be far from the entire world. ------------ In <9008131945.AA03144@sci.ccny.cuny.edu> Dan Schlitt writes: > > The "liberal ..... conservative ..." bit quoted by others > applies to datagrams and messages. Certainly no one intends for it to > apply to authentication. Agreed. The quote is from RFC793, which is for TCP. Its application to this situation is questionable, in my opinion. ------------ In <3675.650616417@cs.nott.ac.uk> Julian Onions writes: > > insisting on reverse lookup gives you two things. > > 1) It forces maintainers to put more effort into getting their DNS > system setup correctly. If they can't talk to you, and your important > enough it is a good impetus. If people can survive with the status > quo, there is no incentive to put effort into fixing broken things. > > 2) It is not solid, but it does give you an idea where to look when > trouble happens. If you can't reverse lookup an address, then you are > really stuck. If you can reverse lookup an address, you at least have > a starting point and it means if someone is trying to mess you about, > they have to work that much harder. > > You can't force people to register themselves, but you can make it > dammed awkward for them. From my limited experience of Internet DNS > usage, it appears to be getting more robust. Now is probably the time > to turn the screws down tighter and make people put more effort into > getting all their records straight. ------------ In <90.223.03:51:07@ira.uka.de> Arnold Nipper writes: > > why so much cry about it?? You can patch the ftpd to ignore connections > not to be able to give an inverse mapping, or am I wrong? As far as I know > it's an option given via the Makefile. Sorry, I didn't mean to cry.. )-; ------------ In Edward Vielmetti writes: > > I see anonymous FTP servers that bounce connections from people > without functioning .in-addr.arpa pointer records as the rough moral > equivalent of the Rabid Rerouters (and Domain Absolutist Rabid > Rerouters etc) discussed not so long ago in comp.mail.uucp. It's not > appropriate for everyone in the world to run them, but the presence of > a few of them in the world calls attention to the problem and are > a good thing On The Whole even though in some cases some people are > inconvenienced. My site isn't some wonderful archive server. If I don't allow connections under certain circumstances, nothing monumental is lost. > > Besides it provides a real easy touchstone on whether your in-addr > stuff is working ok, just FTP to uunet and see if you get in.... So you mean I'd actually be *helping* folks out! I think I've been persuaded :-) ------------ In <1990Aug10.214533.18331@ux1.cso.uiuc.edu> Paul Pomes includes ftpd.c diffs: > > Here are my changes to ftpd.c (V5.28 from uunet) that implements command > logging, enhanced local access, and restricted use if the IP inverse mapping > doesn't exist. > > [diffs deleted] This may be just the thing. I've not decided for sure, but its likely I'll use this scheme. No one has said that it would be a violation of the specifications for telnet or ftp... that was what my ear was particularly tuned for. Thanks, ^Deke Kassabian, deke@ee.rochester.edu or ur-valhalla!deke Univ of Rochester, Dept of EE, Rochester, NY 14627 (+1 716-275-3106)