On Tue, Dec 24, 2002 at 08:44:56PM -1000, Eric Hattemer wrote: > I concur 100%. There's an IP standard of sorts that says that > all IP addresses should have a hostname attached.
I only wish it were a standard. Most of the ISPs I run into do not have all their assigned IP space resolvable. > There are many services that do forward and reverse DNS lookups > on your IP/hostname to make sure they match. That is probably due to the paranoid option in tcpwrappers. It is a flawed concept. Avoid it if you can. [1] > Now maybe you're worried that your IP doesn't change too much. Some ISPs made the argument that by using DHCP, customers become a moving target and hopefully less likely to get compromised. I agree that it makes a targetted attack more difficult, but most customers are likely to be hit by automated attacks. > You could even buy a real domain name, and just update it every > time it changes. Services like dyndns.org even provide agents you can run that automatically updates your domain to resolve to your current IP address. -Vince [1] This might sound like I am contradicting myself. If you use only IP ranges in your /etc/hosts.allow, then the paranoid option is never needed and you avoid the cost of having to perform 2 lookups (IP -> hostname, hostname -> IP). If DNS is not setup properly, you have to wait for _both_ lookups to timeout.