Date: Tue, 3 Apr 2001 15:34:21 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: crh@outpost.co.nz (Craig Harding) Cc: chat@FreeBSD.ORG Subject: Re: Test Message-ID: <200104031535.IAA16970@usr05.primenet.com> In-Reply-To: <3AC96E06.71ED1DE6@outpost.co.nz> from "Craig Harding" at Apr 03, 2001 06:30:30 PM
next in thread | previous in thread | raw e-mail | index | archive | help
> > The canonical reason for requiring a reverse address is that there > > are two authorities: the forward address, and the reverse address. > > Nice in theory. In this country you can't control the reverses unless > you "own"[1] the IP address, and you can't get any IPs from APNIC unless > you're a service provider and you've got loads of cash. As an end user > it's almost impossible to get an IP I could control the reverse of. > > [1] I'm not really allowed to say "own" because officially you don't > "own" IP addresses, you just get to use them. This is not true. If you are running a DNS server visible to the net, you can get a delegation, since you have an autonomous system number. A static IP address from UUNET will give you this; they give you 8 IP addresses, 6 of which are usable, with a BGP route to your host. This works for ISDN, DSL, or leased line. The IBM web connections product sold static IP addresses with its service for $99/month. In practice, the reverse records were delegated to the NOC, in Rochester, NY, since it was the primary name server. It was possible to delegate primary authority for the in-addr.arpa delegations; in practice, we did not do this, because it was important that the customer domain remain virtually on line, even if the customer's border machine lost connectivity. For that reason, the DNS servers and the backup mail exchangers, and sometimes, the web site hosting, were on hosted infrastructure not at the customer premises. Occasionally, the web site hosting _was_ at the customer premises. But in any case, the reverse record matched the canonical name for the border NAT, and there were up to 5 other reverse records matching other "perimeter" machines who were either physically outside the firewall, or virtually outside the firewall through an IP alias and a divert rule for a single port, to prevent them from being vulnerable to attack. While it's true that there are a lot of IP addresses being assigned with "invalid" reverse addresses, the vast majority are assigned with valid reverse addresses, which don't happen to match the names claimed by the servers, since people are trying to run domains when they are not paying their ISP to be an NSP. Luckily, there's another workaround: Configure your mail server to claim the IP address of the valid reverse address. That is, if your ip address is 10.1.0.2 and your reverse is set by your ISP to 2.0.1.10.bank1.dsl.example.com, then have your mail server claim to be "2.0.1.10.bank1.dsl.example.com". If your ISP is not setting up a reverse record at all, well, get another ISP, or pay them the extra money the want to do the job, which usually means paying "business customer" rates (which in turn usually just mean "this person wants to run a server, and we can make them pay for doing that, so we do). Alternately, find a proxy IP service somewhere. A proxy IP service owns a block, and lets you PPPOE into their service, at which time packet look like they are coming from their IP address. You are permitted, via a cruptographically secure ling to update the reverse DNS record for the IP address you have to anything you want. In addition, if their DNS server is your primary DNS server for a hosted domain, you can update the forward as well. There are a number of services like this in Taiwan and Hong Kong, which accept VISA and Mastercard. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104031535.IAA16970>