[introduction] security proxies (at least those from the fwtk family) start by double-dns resolving the source host (that is, they get the hostname corresponding to the IP address, then use this name to get the list of corresponding IP addresses, and then check that the "original" IP address is in this list). The reason for the reverse lookup is that you can't trust the direct lookup unless you reverse it, since it is harder for an attacker to subvert someone else's DNS server than to configure his. Also, if your access rules specify a hostname, such as "allow http requestst coming from itrust.my.friend, then the proxy needs to resolve the IP address to check whether the rul applies or not; and finally, it needs to double check to guard against a DNS spoof. [problem statement] so, there are valid reasons to do the DNS direct and reverse lookups. Now, these have an associated cost. DNS lookups take time, and this will delay legitimate traffic (and use CPU). Thus my questions: - why do DNS checking if access control is not based on DNS names? rejecting spoofers also rejects misconfigured hosts - sometimes, DNS checking might be desired but is not relied upon. It is then only used as hints in the logs. In this case, I wonder whether a reverse lookup is really worth. if these "thoughts" are justified, this means that a solution is to allow the admin to specify the list of hosts for which a DNS check is done. One solution would be to allow a syntax like the one below in the /etc/hosts: 1.2.3.0/255.255.255.0 i.want.nodns when a dns lookup for 1.2.3.4 "quickly" yields 4i.want.nodns. This would "make everyone happy" and allows disabling DNS checks for some hosts. I'll appreciate your comments. cheers, mouss - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
