Unless the network is lying to me again, Vincent de Lau said:
> Thanks to CIDR, reverse DNS got a very different face. I do not have control
> over my reverse DNS zone, because I'm not the only one that is in that
> network. (netmask /26)
Only because your upstream is not clued. This is quite easy to do in
a number of different ways.
If your PROVIDER can do something like this:
$ORIGIN 35.72.212.in-addr.arpa.
220 IN CNAME 220.rev.your.domain.
221 IN CNAME 221.rev.your.domain.
222 IN CNAME 221.rev.your.domain.
223 IN CNAME 221.rev.your.domain.
Then, in YOUR dns you have:
$ORIGIN rev.your.domain.
220 IN PTR www.my.domain.
221 IN PTR other.my.domain.
222 IN PTR third.my.domain.
223 IN PTR vpn.my.domain.
> I think reverse DNS checking is not a good way to "authenticate" this kind
> of traffic.
Until you come up with something better (and that is easy to deploy)...
AlanC
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
