Date: Mon, 07 May 2001 11:24:24 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: Wes Peters <wes@softweyr.com> Cc: Sheldon Hearn <sheldonh@uunet.co.za>, anderson@centtech.com, Andrew Barros <abarros@tjhsst.edu>, "lists@mail.ru" <lists@mail.ru>, freebsd-security@FreeBSD.ORG Subject: Re: reverse or not Message-ID: <3AF6E858.77E9B72A@globalstar.com> References: <E14wpKH-0002sJ-00@bsdconspiracy.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Wes Peters wrote: > > Sheldon Hearn scribed: > > > > On Mon, 07 May 2001 09:54:36 MST, "Crist Clark" wrote: > > > > > > From a security perspective, I'm pretty sure that hosts should NEVER > > > > rely on any external source for resolution on the loopback network. > > > > > > So everyone MUST run a DNS server on localhost? That does not sound too > > > secure either. > > > > That's not what I'm suggesting. People were talking about /etc/hosts vs > > DNS. I'm saying that > > > > 1) DNS servers shouldn't answer questions about the loopback > > network. > > > > 2) Hosts should have hostnames for the loopback network > > hardwired into /etc/hosts. > > 3) /etc/host.conf should always have hosts listed before > bind, to be sure that you get your local definitions > *first*. I was thinking of applications like sendmail(8) that don't bother with the local resolver and really like to go straight to DNS. /etc/hosts and /etc/host.conf are moot. I have had "localhost" problems with sendmail in the past that were a PITA to workaround. I know there are other common apps that go straight to DNS... 'course none of them are coming to mind at the moment. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AF6E858.77E9B72A>