Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!crdgw1!barnett From: barnett@grymoire.crd.ge.com (Bruce Barnett) Newsgroups: comp.mail.sendmail Subject: Re: More problems with sendmail/IDA and DECnet Message-ID: Date: 13 Jun 91 19:03:13 GMT References: <1991Jun11.173526.15436@njitgw.njit.edu> <1991Jun11.182958.18722@mp.cs.niu.edu> <1991Jun11.223410.4007@solbourne.com> Sender: news@crdgw1.crd.ge.com Reply-To: barnett@crdgw1.ge.com Organization: GE Corp. R & D, Schenectady, NY Lines: 32 In-reply-to: kre@cs.mu.oz.au's message of 12 Jun 91 00:12:32 GMT In article kre@cs.mu.oz.au (Robert Elz) writes: > kucharsk@solbourne.com (William Kucharski) writes: > > >I've seen more than a few systems that want to keep > >internal network details from the Internet yet which run DNS. > > That's security through obscurity, and it doesn't work. Much better > would be to install filters on the gateway, and prevent packets getting > near hosts that aren't supposed to receive them, than to try and keep > name->address translations hidden from the world. Security is one thing. Advertising unconnected networks is another. Example: The internal GE network is a Class A network. It is not connected to the Internet. Our Internet gateway is on both networks, and has to forward mail between the internal and external network. If the internal network numbers were advertised to the outside then we would get grief for discussing IP addresses that are unreachable. Bad Manners. Filters wouldn't help because the response to address queries are suppose to go out. The BIND software does not give different responses based on where the request came from. It always responds the same. Our gateway is on both networks, but only advertises one address. Our internal machines are in the local host table, but missing from the DNS. -- Bruce G. Barnett barnett@crdgw1.ge.com uunet!crdgw1!barnett