Path: utzoo!utgpu!watserv1!watmath!att!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!julius.cs.uiuc.edu!ux1.cso.uiuc.edu!mp.cs.niu.edu!rickert From: rickert@mp.cs.niu.edu (Neil Rickert) Newsgroups: comp.protocols.tcp-ip.domains Subject: Re: PTR records of gateways on the Internet Message-ID: <1991Jan13.144605.25935@mp.cs.niu.edu> Date: 13 Jan 91 14:46:05 GMT References: <1991Jan13.054040.21009@riacs.edu> Organization: Northern Illinois University Lines: 56 In article <1991Jan13.054040.21009@riacs.edu> medin@cincsac.arc.nasa.gov (Milo S. Medin) writes: > >Bull. The DNS system is a distributed database. Are you saying that you >don't care how valid the information is as long as it tells you something?? >If you can tell someone has misconfigured things or is trying to spoof your >system, that's pretty useful info for me. > I am not saying this. I am saying that when you have a distributed database with widely distributed control, you can NEVER guarantee that the data is valid or consistent. But just because there may be invalid data, that is no reason to break your software so that it can't even read the data. Put your consistency checks in those few packages (rlogind, etc) that need it. And don't assume that even these consistency checks guarantee security. Real security would require rlogind and other such software to limit access to a prescribed set of networks or subnets which are known to be well managed and secure. If this were done the PTR record spoofing would become unimportant. >As for using it in only things that require .rhosts type of files, well, I'm >sure you'd be rather annoyed when someone breaks into your machine from the >Internet and spoofs the PTR information so that when you try and contact >the system admin. of the host that connected to you, you get nowhere. Ah, but If someone spoofs the PTR info, what makes you think the sysadmin would be helpful anyway. Either the whole domain isn't administered, or the admin is involved, if the DNS records are incorrect. If this security checking is done in rlogind, rather than gethostbyaddr() you still can be just as effective in reducing the security exposures. If someone can break in with telnet, they can probably break in with a telephone and a modem. >I can't believe all this garbage blaming the resolver code!!! If you >have a problem with the NSS's not doing this, call MERIT and complain. I notice >most other people seem to get this right. Don't blame the resolver for doing >the right thing. If this REALLY annoys you, why not just relink traceroute >with the straight BSD resolver? Sigh... This subject line started with a complaint that there are PTR records for which the corresponding A-records do not exist. The point is this: It would be possible to set standards requiring that where a PTR record exists the corresping A record must also exist. The net effect will be the removal of many PTR records from the DNS, and this will be a net loss of information. If this removal of PTR records is what you want, you have no reason to complain for your modified gethostbyaddr() is effectively removing these PTR records anyway. You may think your complaint will get you back the info, but at best it will cause the rest of the Internet to also lose the information. If administrators don't want to advertise an A-record for whatever reason, they won't. They place the PTR records there to give some additional identification information, but can quite easily remove them if push comes to shove. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940