Received: from localhost (daemon@localhost) 
        by CS.UTK.EDU with SMTP (cf v2.9s-UTK)
	id JAA19123; Mon, 7 Oct 1996 09:56:44 -0400
Received: by CS.UTK.EDU (bulk_mailer v1.7); Mon, 7 Oct 1996 09:55:38 -0400
Received: from munnari.OZ.AU (munnari.OZ.AU [128.250.1.21]) 
        by CS.UTK.EDU with SMTP (cf v2.9s-UTK)
	id JAA18947; Mon, 7 Oct 1996 09:55:29 -0400
Received: from mundamutti.cs.mu.OZ.AU by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56)
	id NA22631; Mon, 7 Oct 1996 23:55:12 +1000 (from kre@munnari.OZ.AU)
To: Eric Thomas <ERIC@VM.SE.LSOFT.COM>
Cc: drums@cs.utk.edu
Subject: Re: cname lookup effort 
In-Reply-To: Your message of "Sun, 06 Oct 1996 16:02:30 +0200."
Date: Mon, 07 Oct 1996 23:55:07 +1000
Message-Id: <18423.844696507@munnari.OZ.AU>
From: Robert Elz <kre@munnari.oz.au>

    Date:        Sun, 6 Oct 1996 16:02:30 +0200
    From:        Eric Thomas <ERIC@VM.SE.LSOFT.COM>

    The problem is that many firewalls will  then filter it. It seems that by
    default (at least for port 25),  many firewall products will do a reverse
    lookup for the IP address in the  packet header, then a forward lookup on
    the results, and  it had better match  the address in the  packet.

Apart from this being needlessly (uselessly) expensive for the
firewall to actually do, it works (as Roger Fajman said).

Assume you have

a.x.y.	IN	A	10.0.0.1
b.x.y.	IN	A	10.0.0.1
c.x.y.	IN	A	10.0.0.1
d.x.y.	IN	A	10.0.0.1

and

1.0.0.10.in-addr.arpa. in ptr a.x.y.

(you might also have other PTR records for the other names, but
for now assume not, it makes no difference).

Now I send mail to b.x.y - my smtp looks up the name finds the
address, and establishes a connection.   The firewall (operating as
you say they operate - though I haven't seen one like this) sees
the address 10.0.0.1, looks up the PTR, finds a.x.y, looks up a.x.y
finds 10.0.0.1, which is the address in the packet, and all is OK,
right?

Unless you're about to claim that the firewall also looks at the
RCPT TO command in the SMTP dialog, and checks that the domain
named is the same as the destination address which would be 100%
bogus, as it would break the additional record...

x.y.	IN	MX	0 a.x.y.

then I don't see what the problem is supposed to be.

This does all that CNAME records do, and if you think about it for
half a second, it must do, as all the CNAME does (here) is provide an
indirection in the DNS to find the A record - eliminating the
indirection cannot possibly make a difference.

In any case, for this kind of purpose MX records work better.
For essentially all other services, either multiple A's or CNAMEs
work identically, as the name isn't passed from client to server,
just the address (as the dest addr of the datagrams).  For this
it simply doesn't matter whether the CNAME is rewritten or not, as
no-one ever sees it.

Note that what the firewall might do in cases where the DNS is
incorrect (or outdated), is irrelevant, and unchanged by the method
by which the A record is obtained.

Finally, if NT (and even VMS) don't allow alias addresses on an
interface, they're currently basiclaly useless as WWW server sites.
It is hard to believe that either microsloth or dec really want to
be cut out of that market, so if alias addresses (multiple addresses
on an interface) don't work now, one mighth assume that they will
very soon - HTTP is being fixed so this isn't needed, but it will
be a while before the vast majority of the net have clients that can
cope, which means it will be a very brave server operator who would
attempt to take advantage.

kre