Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Matt Piechota (piechota_at_argolis.org)
Date: Tue Nov 12 2002 - 18:10:32 CST
On Wed, 13 Nov 2002, Michael Carew wrote:
> At least limiting it prevents someone setting up an authoritative server,
> then making a query to that domain off your name server.
> They are then reliant on a legitimate client querying the server with the
> malicious content, rather than them doing it themselves.
> Reducing the changes substantially I would imagine.
Not as much as you'd think. If you use tcpwrappers and something like
*.foo.edu, it'll do a reverse lookup to find out if a.b.c.d matches
*.foo.edu. I think other things do at least reverse lookups as well (ie,
so 'w' show what host I'm connecting from vs what IP).
It's a little more difficult to have a reverse DNS domain, but not much.
Besides, I think there's a few services that do a reverse then a forward
to see if the names match. (I think I remember reading that)
-- Matt Piechota
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message