NIS to DNS
2007-12-25 7:37:00
>We are running NIS to resolve our local hostnames but use DNS to resolve non
>local hostnames. I noticed a strange problem with reverse lookups where the
>nameserver knows the hostname but sometimes NIS can not get the information.
>As you can see in the example below the reverse lookup through NIS fails for
>Princeton.NJ.NSS.NSF.NET but succeeds for nss.sura.net. Does anyone know what
>is going on?
The answer is simple: This is a security feature!
casper@fwi.uva.nl (Casper H.S. Dik) writes:
>It is quite simple, really.When NIS does a reverse lookup, it
>follows that lookup with a lookup of the name found. If
>the address isn't one of the addresses returned for that host,
>the lookup fails. This is to prevent spoofing rlogind rshd mountd
>and other that rely on being able to reliably map addreses to names.
Christopher Davis <ckd@eff.org> writes:
>This is because of a combination of NSFNET stupidity and Sun paranoia.
>
>Sun's gethostbyaddr (which gets fed to the ypmatch in this case) will
>not report a name unless the PTR record is matched by an A record for
>the same host (to prevent some security problems with hosts.equiv/rhosts).
>
>The NSFNET NSSes are not mapped properly on the A record side, i.e. a
>lookup for Princeton.NJ.NSS.NSF.NET *will not* return 129.140.72.9.
>
>This is why you're getting this "mixed result".
Thanks to all who replied:
casper@fwi.uva.nl (Casper H.S. Dik)
feldt@phyast.nhn.uoknor.edu (Andy Feldt)
Christopher Davis <ckd@eff.org>
lars@CMC.COM (Lars Poulsen)
burgess@tc.pw.com (Chris Burgess)
per@erix.ericsson.se (Per Hedeland)
jxh@attain.ICD.Teradyne.COM (Jim Hickstein)
-Lutz
Comments
Got something to say?
You must be logged in to post a comment.
