On Tue, 22 Feb 2005, Pekka Savola wrote:
> However, applying a reverse+forward matching to a specific, configured
> hostname as the _first_ measure of check restricts the attackers to
> those which can control the particilar reverse and forward trees, or
> spoof the DNS in a particular way.
>
> This is certainly very useful. It'll prevent random script kiddies
> and port scanners (for example) from attacking a particular service.
>
> It may not be 100% protection against the most determined crackers,
> but that's what the _additional_ protections are for.
As this concept was rather spectacularly shown to be false on a number of
occasions involving attackers' spoofing of bsd r-commands, is it safe to
assume that there is general consensus that the concept of DNS-based
security has no merit, and needs not be discussed?
The notion of r-command security seems to me to serve to discredit the
contents of this draft. I cannot believe we are actually debating the view
that the bsd r-commands security, that is, the in-addr based "security"
assumption, is actually a good idea.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
