Date: Sun, 1 Apr 2001 22:04:09 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Andrew C. Hornback" <hornback@wireco.net>, "Matthew Emmerton" <matt@gsicomp.on.ca> Cc: "FreeBSD Questions" <questions@FreeBSD.ORG> Subject: RE: ARG!!! 450 Client host rejected: cannot find your hostnam Message-ID: <006201c0bb32$59a94bc0$1401a8c0@tedm.placo.com> In-Reply-To: <00f601c0bb20$21b791c0$0e00000a@tomcat>
next in thread | previous in thread | raw e-mail | index | archive | help
You don't need DNS resolution to trace an IP number, ARIN and the other number registries, as well as BGP, do a good job of that. For that matter the website owner can run traceroute and tell who owns the IP number. Mostly, what I've seen SSL sites use the reverse address resolution for is to prevent transfer of encryption technology into areas that it's prohibited. Microsoft used to do this to download the 128bit encryption, I don't know if they still do it or not. However, DNS is a very poor method of verifying anything. For example, a multinational company based in the US can have a /24 public subnet that they do their own name resolution for, and they can have a foreign site, such as a sales office in China, connected to them via 56K connection, that is on a private IP number behind a translator. A user in that sales office can initiate a download of the 128 bit Microsoft web browser from the Microsoft site just fine. Now, it is illegal to transfer 128 bit encryption technology overseas to China, but the DNS is going to resolve to a name that indicates the transfer is taking place to the US. You can argue the fine point that the actual illegality is that the internal company network is permitting the 128bit encryption transfer to China and this is true, but in point of fact the DNS check has been defeated here. I think that if you look at it, 90% of the SSL sites that require reverse IP lookups really don't gain anything for doing it. Most likely they are doing it because they don't understand IP routing and think that they are supposed to be doing it. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Andrew C. >Hornback >Sent: Sunday, April 01, 2001 7:54 PM >To: Matthew Emmerton >Cc: FreeBSD Questions >Subject: RE: ARG!!! 450 Client host rejected: cannot find your hostnam > > >Matt, > > Thanks for getting to this one before I could... :) > >Everyone else, > > The best explanation that I have is that they want to >authenticate exactly >where you're coming from to prevent fraud. A lot of the various on-line >shopping sites, etc. will not allow a connection that they can't >authenticate. Being able to authenticate where a sale comes from allows >them to track it back, etc. If your ISP doesn't have this set up properly, >it's not going to work for you. > > When I worked at BlitzNet, we had customer support calls >that I had to >handle about this. People taking their business elsewhere because the >entire staff that I replaced didn't have a coherent strategy to make things >work properly. That's not a good sign. > > Maybe it's not a requirement of 128 bit encryption, per se, but the >applications thereof on websites. > >--- Andy > >> -----Original Message----- >> From: owner-freebsd-questions@FreeBSD.ORG >> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Matthew >> Emmerton >> Sent: Sunday, April 01, 2001 10:27 PM >> To: Randall Hopper; Andrew C. Hornback >> Cc: FreeBSD Questions >> Subject: Re: ARG!!! 450 Client host rejected: cannot find your hostnam >> >> >> > |And what do you tell users when they try to use sites that >require 128 >> bit >> > |encryption and that encryption level requires proper >resolution of the >> > |address forward and backward? "Oh, we don't support that, it's not >> > |important..." ? I can hear a herd of users running for other ISPs... >> > >> > Ok, you've perked my interest. What does reverse DNS lookup have to do >> > with 128-bit encryption. You may be implying a specific form of >> encryption >> > (IPsec or something?). I use 128-bit/1024-bit encryption in my e-mail >> > daily, without reverse DNS ;-) >> >> Many SSL-enabled sites will refuse to connect with clients who have IPs >> without proper reverse-DNS entries. I can't say why, all I know is that >> from personal experience, *and* from working with the tech >> support people at >> an ISP I used to work for, this was a real big problem. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006201c0bb32$59a94bc0$1401a8c0>