On 2011-11-08 13:27 , Mark Andrews wrote: > In message <[email protected]>, Jeroen Massar writes: >> On 2011-11-08 12:05 , Mark Andrews wrote: >>> In message <[email protected]>, Seth Mos writes: >> [..] >>> Sounds like FUD. Who has trusted the contents of a PTR record in the >>> last 2 decades? >> >> Lots of tools (read: SSH, Spam-checks, oh and IRCd's ;) trust PTR, but >> only if the reverse => forward => reverse. And you don't want to know >> how many silly people enable the "if user comes from .in they must be >> from Indonesia^WIndia thus block them" Apache option as recently >> mentioned on this very thread. > > They arn't trusting the reverse record. They are trusting the forward > record to verify the reverse record. They know that the reverse record > is untrustworthy as the owner of the reverse zone can put whatever they > want there without spoofing anything.
Of course that is the case. The PTR itself is useless, but in combo with checking it with the forward it is a very valuable resource. (Add DNSSEC to the mix and you are even sure that nobody spoofed it on the wire for you ;) >> Also, note that your precious operating system will likely store the >> PTR, sometimes even without doing the reverse->forward->reverse check. > >> As such, you set up a PTR + Forward properly for a host, try to 'hack' a >> box by password guessing, the log entries will only have the PTR >> recorded, and you just drop the PTR+Forward from DNS (as they are under >> your control) the admin comes in, sees all those nice hosts in their >> logs but as it is gone from DNS will never ever find you. This >> especially goes for 'who' (utmp) which makes that mistake. Fortunately >> SSH at least logs both IP + hostname, the more info the better. > > Who trusts logs of names without actual addresses? No one sane > does. Well, only one decade back some people from this very list mentioned that to a certain OS that is used quite a lot by a lot of people: http://www.freebsd.org/cgi/query-pr.cgi?pr=22595 And today that is still the case: http://www.freebsd.org/cgi/man.cgi?query=utmp&sektion=5 Note there is just ut_host there is no address being stored, I hope you yourself btw don't use any FreeBSD based devices as otherwise that little attempt at an insult goes for you too ;) >> That said though the PTR->forward->PTR check is a proper check and a >> really great way to figure out if the source SMTP host was actually set >> up with at least some admin doing it the right way. If they can't be >> bothered to set that up, why should you bother to accept that mail, or a >> better choice, just score it a bit negatively at least. > > Which only works as a filter because ISP's decided to prevent home > users from putting valid PTR records in the DNS for their own > machines. It has nothing to do with clue or knowlege. I don't think ISPs 'decide' to not let users set up reverse DNS, it is generally a 'feature' for which they can ask more moneyz. If ISPs would allow it (which I am for btw) then they only pass the test anyway if they can properly setup reverse->forward->reverse. Which is likely the case anyway for quite some ISPs who populate reverses with a matching forward&reverse based on the IP. Greets, Jeroen
