pantzer5 wrote: > > > These days I am a fan for forward check access > lists, because any one who > > owns a DNS server can say that for IPAddressX > returns aserver.google.com. > > They can not set the forward lookup outside of > their domain but they can > > setup a reverse lookup. The other advantage is > forword looking access lists > > is you can use DNS Alias in access lists as well. > > That is not true, you have to have a valid A record > in the correct domain. I am not sure what this means, unless it indicates every application follows the steps outline below. Unfortunately, only a few applications/services do. > > This is how it works (and how you should check you > reverse lookups in > your applications): > > 1. Do a reverse lookup. 1b check if the name matches any hosts listed in the access list > 2. Do a lookup with the name from 1. > 3. Check that the IP address is one of the addresses > you got in 2. > > Ignore the reverse lookup if the check in 3 fails. The above describes a forward lookup check, its just uses reverse lookup to determine what forward to lookup.
The other method is when the service starts or re-reads the access list it finds A record/IP address for all the names in the access list and keeps a record of them, which it uses for checking when a connection comes in, saves doing the DNS lookup when a new connection starts, but it means all the DNS overhead is at the start. Unfortunately DNS spoofing exists, which means forward lookups can be poison. The best (maybe only) way to make NFS secure is NFSv4 and Kerb5 used together. Cheers -- This message posted from opensolaris.org _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
