[H-GEN] problems with accessing mail at bigpond

Greg Black gjb at humbug.org.au
Sat May 4 07:56:03 EDT 2002


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Robert Brockway wrote:

| Personally I don't have a problem with open dns servers (ie server which
| will answer queries from any remote host). I see it as one last thing we
| haven't had to tighten up on the net because someone found a way of
| abusing the trust of others (all mail relays used to be open not so long
| ago...).  I block AXFR from anywhere except slaves of course.

It's a choice that we can make, although I think it's usually
not made consciously.

| I certainly find having remote dns servers ready to answer queries useful
| for diagnostics

Right now, I can't imagine a case where an open DNS server would
be necessary for any diagnostics that I'd want to run, but maybe
that's a failure of my imagination.

| I can only think of
| a handful of dns servers that are not open (UQ being a notably example).

All the servers that I run are closed to outsiders and I find
that is increasingly the case.

| I'd be interested in any security issues relating directly to having
| a dns server which will answer queries from any host.

There was a time when new BIND exploits came out regularly and
in those days I kept a fake BIND server online to capture the
attempts so that I could quantify them.  This is less true now
than it was, but why open yourself to exploits when there's no
need to provide this service?

It's not just a matter of security.  I resent providing services
to people who aren't entitled to them -- if I run an open name
server, I lose bandwidth to outside queries and I may cause my
caches to be less effective for their intended users if those
external queries force legitimate data out of the caches.

Greg

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list