Discussion:
Reverse DNS optional?
(too old to reply)
glen herrmannsfeldt
2015-02-03 02:08:40 UTC
Permalink
I was wondering how reverse DNS is supposed to be used.
Consider some choices:

A: Nobody uses it, and it is a waste of time to set up the servers.

B: Some do, some don't, don't be surprised if it doesn't work.

C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.

D: Hosts that make outgoing connections and router ports need rDNS.

E: Every host (and each port of multi-homed hosts) should have rDNS,
but the network police won't arrest you for not doing it.

F: Network administrators who don't configure reverse DNS should
be shot.


thanks,

-- glen
Moe Trin
2015-02-03 21:58:29 UTC
Permalink
On Tue, 3 Feb 2015, in the Usenet newsgroup comp.protocols.tcp-ip, in article
Post by glen herrmannsfeldt
A: Nobody uses it, and it is a waste of time to set up the servers.
A: Nobody uses it, and it is too HARD to set up the servers. ;-)

I've also seen people who avoid setting things up because it's a huge
security hole if you let people figure out host names... either that
or they make you the object of intense laughter/ridicule. I've also
seen a lot of setups where "dig -x 192.0.2.22" would return the answer
"22.2.0.192-in-addr.arpa" (PTR records obviously created by a perl or
shell script).
Post by glen herrmannsfeldt
C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.
man 5 hosts_access

PARANOID
Matches any host whose name does not match its address. When tcpd
is built with -DPARANOID (default mode), it drops requests from
such clients even before looking at the access control tables.
Build without -DPARANOID when you want more control over such
requests.

tcp_wrappers hasn't been maintained, and the last version released was
7.6 is dated 7 April, 1997. On the other hand, I think most SMTP
servers are also set to require matching DNS entries.
Post by glen herrmannsfeldt
E: Every host (and each port of multi-homed hosts) should have rDNS,
but the network police won't arrest you for not doing it.
But there-in lies the rub - I don't see where PTR records are a "MUST"
in the standards. RFC2050 was a "BEST CURRENT PRACTICE" document (and
section 5 of that document related to "In-ADDR.ARPA Domain Maintenance")
not a "INTERNET STANDARD" (or DRAFT or PROPOSED standard). Likewise,
RFC3172.
Post by glen herrmannsfeldt
F: Network administrators who don't configure reverse DNS should
be shot.
Hmmmm.....

Old guy
D. Stussy
2015-02-04 23:17:24 UTC
Permalink
"Moe Trin" wrote in message news:***@planck.phx.az.us...
On Tue, 3 Feb 2015, in the Usenet newsgroup comp.protocols.tcp-ip, in
article
Post by glen herrmannsfeldt
A: Nobody uses it, and it is a waste of time to set up the servers.
A: Nobody uses it, and it is too HARD to set up the servers. ;-)

I've also seen people who avoid setting things up because it's a huge
security hole if you let people figure out host names... either that
or they make you the object of intense laughter/ridicule. I've also
seen a lot of setups where "dig -x 192.0.2.22" would return the answer
"22.2.0.192-in-addr.arpa" (PTR records obviously created by a perl or
shell script).
Post by glen herrmannsfeldt
C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.
man 5 hosts_access

PARANOID
Matches any host whose name does not match its address. When tcpd
is built with -DPARANOID (default mode), it drops requests from
such clients even before looking at the access control tables.
Build without -DPARANOID when you want more control over such
requests.

tcp_wrappers hasn't been maintained, and the last version released was
7.6 is dated 7 April, 1997. On the other hand, I think most SMTP
servers are also set to require matching DNS entries.
Post by glen herrmannsfeldt
E: Every host (and each port of multi-homed hosts) should have rDNS,
but the network police won't arrest you for not doing it.
But there-in lies the rub - I don't see where PTR records are a "MUST"
in the standards. RFC2050 was a "BEST CURRENT PRACTICE" document (and
section 5 of that document related to "In-ADDR.ARPA Domain Maintenance")
not a "INTERNET STANDARD" (or DRAFT or PROPOSED standard). Likewise,
RFC3172.
Post by glen herrmannsfeldt
F: Network administrators who don't configure reverse DNS should
be shot.
Hmmmm.....
=================

If you want to send email, you better have it for your outbound mail
server(s). Not having it has its own SMTP denial error message code
(5.7.25). VOIP services also demand it.
Tim K
2015-03-13 09:15:51 UTC
Permalink
Post by Moe Trin
On Tue, 3 Feb 2015, in the Usenet newsgroup comp.protocols.tcp-ip, in article
Post by glen herrmannsfeldt
A: Nobody uses it, and it is a waste of time to set up the servers.
A: Nobody uses it, and it is too HARD to set up the servers. ;-)
I've also seen people who avoid setting things up because it's a huge
security hole if you let people figure out host names... either that
or they make you the object of intense laughter/ridicule. I've also
seen a lot of setups where "dig -x 192.0.2.22" would return the answer
"22.2.0.192-in-addr.arpa" (PTR records obviously created by a perl or
shell script).
Post by glen herrmannsfeldt
C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.
man 5 hosts_access
PARANOID
Matches any host whose name does not match its address. When tcpd
is built with -DPARANOID (default mode), it drops requests from
such clients even before looking at the access control tables.
Build without -DPARANOID when you want more control over such
requests.
tcp_wrappers hasn't been maintained, and the last version released was
7.6 is dated 7 April, 1997. On the other hand, I think most SMTP
servers are also set to require matching DNS entries.
Post by glen herrmannsfeldt
E: Every host (and each port of multi-homed hosts) should have rDNS,
but the network police won't arrest you for not doing it.
But there-in lies the rub - I don't see where PTR records are a "MUST"
in the standards. RFC2050 was a "BEST CURRENT PRACTICE" document (and
section 5 of that document related to "In-ADDR.ARPA Domain Maintenance")
not a "INTERNET STANDARD" (or DRAFT or PROPOSED standard). Likewise,
RFC3172.
Post by glen herrmannsfeldt
F: Network administrators who don't configure reverse DNS should
be shot.
Hmmmm.....
Old guy
I hear you, but things have changed. DNS was never a good security mechanism although in this case (tcpwrappers:PARANOID) it clearly is being used that way. Security practices have improved and that's been disregarded to check to see if an incoming hosts name matches its ptr record, because it was frankly a silly check to being with. What it really meant was your organization was important enough for your ISP to actually pay attention to your request for a PTR. :)

Still, on a private network they're quite useful unless you like memorizing ip addresses, but frankly, the way people name machines now, you may as well.
Rick Jones
2015-02-05 22:03:44 UTC
Permalink
Post by glen herrmannsfeldt
I was wondering how reverse DNS is supposed to be used.
...
F: Network administrators who don't configure reverse DNS should
be shot.
I'll go with F :)

rick jones
--
Don't anthropomorphize computers. They hate that. - Anonymous
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...
Emil Naepflein
2015-02-10 05:45:20 UTC
Permalink
On Tue, 3 Feb 2015 02:08:40 +0000 (UTC), glen herrmannsfeldt
Post by glen herrmannsfeldt
F: Network administrators who don't configure reverse DNS should
be shot.
There are applications that use rDNS for authentication, filtering, ... .
Barry Margolin
2015-02-10 06:42:32 UTC
Permalink
Post by Emil Naepflein
On Tue, 3 Feb 2015 02:08:40 +0000 (UTC), glen herrmannsfeldt
Post by glen herrmannsfeldt
F: Network administrators who don't configure reverse DNS should
be shot.
There are applications that use rDNS for authentication, filtering, ... .
For those, this is the relevant case:

C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.
--
Barry Margolin
Arlington, MA
glen herrmannsfeldt
2015-02-10 08:28:57 UTC
Permalink
(snip)
Post by glen herrmannsfeldt
Post by Emil Naepflein
There are applications that use rDNS for authentication, filtering, ... .
C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.
OK, but if you are using someone else's network, such as someone
you are working for, how do you tell them to fix it?

They seem to believe that if it has been working fine for years,
no problem. (I presume no-one else complained.)

-- glen
Barry Margolin
2015-02-10 08:33:05 UTC
Permalink
Post by glen herrmannsfeldt
(snip)
Post by glen herrmannsfeldt
Post by Emil Naepflein
There are applications that use rDNS for authentication, filtering, ... .
C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.
OK, but if you are using someone else's network, such as someone
you are working for, how do you tell them to fix it?
They seem to believe that if it has been working fine for years,
no problem. (I presume no-one else complained.)
You tell their IT Department "I'm trying to connect to our headquarters,
and I can't get in because you don't have proper reverse DNS."
--
Barry Margolin
Arlington, MA
Emil Naepflein
2015-02-11 05:12:17 UTC
Permalink
Post by glen herrmannsfeldt
Post by Emil Naepflein
On Tue, 3 Feb 2015 02:08:40 +0000 (UTC), glen herrmannsfeldt
Post by glen herrmannsfeldt
F: Network administrators who don't configure reverse DNS should
be shot.
There are applications that use rDNS for authentication, filtering, ... .
C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.
Outgoing doesn't mean outgoing to the internet, but also outgoing to the local
local. Only pure servers may not make outgoing connections, but even they may
use rDNS for some purpose.
Tim K
2015-03-13 09:05:49 UTC
Permalink
Post by glen herrmannsfeldt
I was wondering how reverse DNS is supposed to be used.
A: Nobody uses it, and it is a waste of time to set up the servers.
I'm not sure I understand ... if your network is private, you'll be using the same servers you're using anyway. If it's public, they're your ISP's.
Post by glen herrmannsfeldt
B: Some do, some don't, don't be surprised if it doesn't work.
C: Only hosts that make outgoing connections need DNS, don't waste
the time otherwise.
D: Hosts that make outgoing connections and router ports need rDNS.
E: Every host (and each port of multi-homed hosts) should have rDNS,
but the network police won't arrest you for not doing it.
F: Network administrators who don't configure reverse DNS should
be shot.
I agree! I always do, it decreases latency in user requests across the board, and it adds up to a sizable difference. Laziness is the only reason I can think of for not configuring it.
h***@gmail.com
2016-09-27 21:07:50 UTC
Permalink
Post by Tim K
Post by glen herrmannsfeldt
I was wondering how reverse DNS is supposed to be used.
A: Nobody uses it, and it is a waste of time to set up the servers.
I'm not sure I understand ... if your network is private, you'll be using
the same servers you're using anyway. If it's public, they're your ISP's.
Well, yes, it could be the ISP. Some years, ago, I believe ATTBI, before
it was Comcast, I complained that the address they assigned to me
didn't have a reverse, and I was having problems contacting site.
(Many ftp sites would refuse connections.) They fixed it.

But there are also private organizations big enough to be their
own ISP, or otherwise to administer a significant number of
publicly addressable hosts.

thanks!

Continue reading on narkive:
Loading...