Re: [DNSOP] Proposed text for reverse-mapping-considerations draft

Thu, 31 May 2007 21:07:58 -0700 

On Thu, 31 May 2007, Andrew Sullivan wrote:
> 
> The popular TCP Wrapper package was originally conceived to discover
> the network location of an attacker [Venema1992].  It used the reverse
> mapping of a connecting host to provide the hostname of that host in
> its output.

No. Early TCP wrappers just provided logs of activity, and then later to
provide access control. 

 "This paper presents a simple tool to monitor and control incoming
 network traffic. [...]

 "Services  such as finger do not
 require a password, and almost never keep a record of  their
 use.  That  explains  why  all  his  fingering  activity had
 remained unnoticed."



Access control:

 "5.  First extension: access control.
 [...]
     /etc/hosts.deny:

         ALL: terminus.lcs.mit.edu hilltop.rutgers.edu monk.rutgers.edu
         ALL: comserv.princeton.edu lewis-sri-gw.army.mil
         ALL: ruut.cc.ruu.nl 131.211.112.44
         ALL: tip-gsbi.stanford.edu
         ALL: tip-quada.stanford.edu
         ALL: s101-x25.stanford.edu
         ALL: tip-cdr.stanford.edu
         ALL: tip-cromemaa.stanford.edu
         ALL: tip-cromembb.stanford.edu
         ALL: tip-forsythe.stanford.edu"

TCP Wrappers did do access control based on reverse DNS, but that was
soon discovered to be insecure. I note that the original 1992 didn't
know that:

 "o    Protection against hosts that pretend to  have  someone
       elses  name  (name  server spoofing). This is important
       for network services  such  as  rsh  and  rlogin  whose
       authentication  scheme  is  based on host names. When a
       host name or address mismatch is detected  the  connec-
       tion  is  dropped  even before the access-control files
       are consulted."

The TCP wrapper program did not succeed at stopping nameserver spoofing,
nor could it. The author (Venema) just didn't know enough about DNS to
know that. This is the origin of the reverse DNS "security" myth.

Years and much effort has been expended to dispel the myth, but true
believers are hard to dissuade. That is a monument to something, but I
don't know what.

                --Dean



-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Reply via email to