REQUEST: Names instead of IP (allowed / disallowed)

Moderator: Project members

Post Reply
Message
Author
M*I*B
500 Command not understood
Posts: 3
Joined: 2008-02-26 22:02
First name: Michael
Last name: Buchholz

REQUEST: Names instead of IP (allowed / disallowed)

#1 Post by M*I*B » 2017-10-25 20:37

Hello there from germany,

is there a change in the near future to use names (DDNS, MyFritz, ...) instead of IP- adresses for i.e. IP-Filter?!?

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: REQUEST: Names instead of IP (allowed / disallowed)

#2 Post by botg » 2017-10-25 22:41

No, reverse DNS is too unreliable.

M*I*B
500 Command not understood
Posts: 3
Joined: 2008-02-26 22:02
First name: Michael
Last name: Buchholz

Re: REQUEST: Names instead of IP (allowed / disallowed)

#3 Post by M*I*B » 2017-10-31 09:58

In what way? Regarding name resolution or security?

Regardless, DDNS is the only way to exclude access for everyone else when you enter the NET with changing IP's.

At the moment, the only and dangerous option is to open the server for all addresses, at minimum for all ranges of your DSL-providers IP pool. If you do not know what your next IP address will be or what IP pool will come from, you might still have to access it on the go, opening a wide range like a barn door is the only viable option.


The question remains, what is better now: An open barn door or an occasionally not working name resolution?!?

I think the answer is simple ... is'nt it?!

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: REQUEST: Names instead of IP (allowed / disallowed)

#4 Post by botg » 2017-10-31 10:14

For controlling access all you need to a long password.



With RDNS, everybody could claim the IP address belongs to a certain domain name. What you need is a forward-confirmed reverse DNS lookup, to make sure the hostname in turn maps back to the IP address in question.

Not only is this a quite slow operation, it can also fail. What should be done if the lookup fails?

Last but not least it can be mis-used for reflection attacks and possibly amplification attacks. Bad guy connecting to your server with an intentionally wrong PTR record associated with the attackers IP and your server (or your DNS resolver) then does requests to the actual target IP on the forward part of the resolution.

Post Reply