Re: Changing IP addresses -- MIDRANGE-L

+1 to both of your comments

On (Unix based) email servers I administer with Internet connectivity, those boxes also run a caching only configuration of BIND.

At least in my mind, both DNS and the SMTP protocols are artifacts of a bygone era. I'm not implying that they are obsolete, completely the opposite.

What I am implying that they are both protocols that were created when the Internet was a kinder and gentler place. Certainly I appreciate all the hard work that has been done to tack on misc. security mechanisms to DNS and SMTP, but the fact remains that the core protocols are still there relatively unchanged and continue to be abused by those who would do evil out on the Internet.

Much like SSH has replaced telnet and rlogin, in the long run, something similar needs to happen to both DNS and SMTP.

Jerry

On 09/22/16 04:18 PM, DrFranken wrote:

re: the Cisco ASA anD DNS. I don't think you want DNS in that for a couple
reasons.

1) Performance. Adding an NS query to every inbound packet would C-L-O-B-B-E-R
performance. It would also hammer your DNS server.

2) DNS isn't perfect either. If someone poisons a DNS server and gets it to
report a different address then they've just compromised your firewall. You
don't want something OUTSIDE your organization able to influence the data
allowed to pass through your firewall.

- Larry "DrFranken" Bolhuis

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.