Re: Performance Issues - PTR Records

[Jeroen Massar <jeroen () unfix org>]

On 2011-11-08 13:27 , Mark Andrews wrote:
> In message <4EB90EF2.3030100 () unfix org>, Jeroen Massar writes:
> > On 2011-11-08 12:05 , Mark Andrews wrote:
> > > In message <4EB8F028.8040607 () dds nl>, Seth Mos writes:
> > [..]
> > > Sounds like FUD.  Who has trusted the contents of a PTR record in the
> > > last 2 decades?
> >
> > Lots of tools (read: SSH, Spam-checks, oh and IRCd's ;) trust PTR, but
> > only if the reverse => forward => reverse. And you don't want to know
> > how many silly people enable the "if user comes from .in they must be
> > from Indonesia^WIndia thus block them" Apache option as recently
> > mentioned on this very thread.
>
> They arn't trusting the reverse record.  They are trusting the forward
> record to verify the reverse record. They know that the reverse record
> is untrustworthy as the owner of the reverse zone can put whatever they
> want there without spoofing anything.

Of course that is the case. The PTR itself is useless, but in combo with
checking it with the forward it is a very valuable resource.

(Add DNSSEC to the mix and you are even sure that nobody spoofed it on
the wire for you ;)

> > Also, note that your precious operating system will likely store the
> > PTR, sometimes even without doing the reverse->forward->reverse check.
>
> > As such, you set up a PTR + Forward properly for a host, try to 'hack' a
> > box by password guessing, the log entries will only have the PTR
> > recorded, and you just drop the PTR+Forward from DNS (as they are under
> > your control) the admin comes in, sees all those nice hosts in their
> > logs but as it is gone from DNS will never ever find you. This
> > especially goes for 'who' (utmp) which makes that mistake. Fortunately
> > SSH at least logs both IP + hostname, the more info the better.
>
> Who trusts logs of names without actual addresses?   No one sane
> does.

Well, only one decade back some people from this very list mentioned
that to a certain OS that is used quite a lot by a lot of people:

http://www.freebsd.org/cgi/query-pr.cgi?pr=22595

And today that is still the case:
http://www.freebsd.org/cgi/man.cgi?query=utmp&sektion=5

Note there is just ut_host there is no address being stored, I hope you
yourself btw don't use any FreeBSD based devices as otherwise that
little attempt at an insult goes for you too ;)

> > That said though the PTR->forward->PTR check is a proper check and a
> > really great way to figure out if the source SMTP host was actually set
> > up with at least some admin doing it the right way. If they can't be
> > bothered to set that up, why should you bother to accept that mail, or a
> > better choice, just score it a bit negatively at least.
>
> Which only works as a filter because ISP's decided to prevent home
> users from putting valid PTR records in the DNS for their own
> machines.  It has nothing to do with clue or knowlege.  

I don't think ISPs 'decide' to not let users set up reverse DNS, it is
generally a 'feature' for which they can ask more moneyz.

If ISPs would allow it (which I am for btw) then they only pass the test
anyway if they can properly setup reverse->forward->reverse.
Which is likely the case anyway for quite some ISPs who populate
reverses with a matching forward&reverse based on the IP.

Greets,
 Jeroen