On Tue, Aug 30, 2011 at 5:49 PM, Crawford, Scott <[email protected]> wrote: >> From their description, what that does is look up >> the name to IP address(es), and then uses that to drive the >> firewall rule. Which is useful, don't get me wrong, but if the >> CDN varies the IP address (as some of them do), you might >> not get the desired results. > > On the other hand, if it's doing reverse dns on every ip that > hits the firewall, it could work.
I thought of that, but it comes with its own problems: 1. Reverse doesn't have to match forward (or even exist) 2. DNS lookups take time (enough to often cause issues) 3. I think there was a third thing but I can't remember it now #2 is especially bad if you really are looking up *every* address that hits your firewall (as opposed to just certain port #s or whatever). Again, not saying it can't ever work, just that it's complicated. > You're assuming they do that only once at rule creation. Actually I was thinking it would refresh periodically. ;-) I've actually done similar in a Linux-based firewall, where a cron job would fire periodically and re-do certain name lookups, to catch changes in IP address for a given name. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
