Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS Names for external services

From: Dave Piscitello <dave () corecom com>
Date: Mon, 19 Apr 2010 11:43:22 -0400


Paul Melson wrote:

On Tue, Apr 13, 2010 at 12:16 PM, Behm, Jeff <jbehm () burnsmcd com> wrote:

Just curious, what is your opinions of the security vs. ease of use trade-offs on putting DNS entries in (vs. making 
people
know/use an IP address) for services you expose to the Internet.


You mean the security trade-off whereby we protect ourselves from
hackers that are too lazy to scan with nmap -sV but not too lazy to
use scandns?  It's a ridiculous corner case that's not worth
accounting for.


+1


On the other hand, using DNS names instead of IP addresses for
Internet-facing services makes them more easily portable.  For some
services it can make load balancing and failover very simple and
cheap.  If any of your use cases is helped by naming Internet
services, then do so.  It's that simple.


+1
Also, consider the low esteem IP addresses have in email. Many antispam software aggressively downgrade email containing IP addresses. If you intend to notify folks of the availability of services via email, aren't you increasing the probability that someone's antispam measures will block delivery?
[I suppose you could ask your users and customers to scan your IP addresses to find services. If you even pause to consider this option...]

Attachment: dave.vcf
Description: 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: