spf-discuss
[Top] [All Lists]

Re: Additional security considerations

2004-07-11 16:09:59
In <00ab01c4678d$7dbd8ac0$c803a8c0(_at_)tag> "Andrew G. Tereschenko" 
<spf-discuss(_at_)spam(_dot_)24(_dot_)odessa(_dot_)ua> writes:

[wayne]
Read again: "multi-homed DNS configuration with private and public records".

I.e. I case if I will connect to nsa.gov SPF-aware mail server I will be
able to use SPF software as troyan-horse to check their _private_ DNS
configuration.
It's a common configuration to restrict private information based on IP
address of requestor.
In case if SPF server will use internal DNS - bad, bad, bad.

If you have multiple views (bind terminology), and you let your MTA
access to the private views, then you are going to have problems.  The
answer is:  Don't do that.


AFAIK, This kind of configuration are common.

Maybe.  There are a lot of badly configured software out there.

No, that's not how the exists:  mechanism works.  No DNS request will
be sent to 192.168.0.%{l}.  Only attacker.com's DNS server will be
queried, and it makes no difference whether it returns 192.168.0.xxx
or 127.0.0.2 (the standard DNSBL value).

LOL.
Configure your own LAN with 2 DNS as primary and sub-domain in 192.168.0.xxx
range.
Your current software will query them ;o)

Uh, that doesn't appear to be the case for me.  The situation may be
different for the software you run or how you configured it.


Do you know why 127.0.0.2 IP was used in DNSBL ?
Becouse query (if any) will be answered by local machine ;o)

Yes, there is a lot of badly configured software.  127.x.x.x is
certainly a more fail safe value to use as a tag for DNSBLs.  That
doesn't mean that, in correctly working software, that 127.0.0.2 is
ever queried.



-wayne


<Prev in Thread] Current Thread [Next in Thread>