home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam    

Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 2.8 Real-Time Conferencing Services Chapter 2
Internet Services
Next: 2.10 Network Management Services

2.9 Name Service

Name service is what translates between the host names that people use and the numerical IP addresses that machines use. In the early days of the Internet, it was possible for every site to maintain a host table that listed the name and number for every machine on the Internet that they might ever care about. With millions of hosts attached, it isn't practical for any single site to maintain a list of them, much less for every site to do so. Instead, the Domain Name Service ( DNS ) allows each site to maintain information about its own hosts, and be able to find the information for other sites. DNS isn't a user-level service, per se, but it underlies SMTP , FTP , Telnet, and virtually every other service users need, because users want to be able to type "telnet fictional.com" rather than "telnet". Furthermore, many anonymous FTP servers will not allow connections from clients unless they can use DNS to look up the client host's name, so that it can be logged.

The net result is that you must both use and provide name service in order to participate in the Internet. The main risk in providing DNS service is that you may give away more information than you intend. For example, DNS lets you include information about what hardware and software you're running, information that you don't want an attacker to have. In fact, you may not even want an attacker to know the names of all your internal machines. Chapter 8 discusses how to configure name service in order to make full information available to your internal hosts, but only partial information to external inquirers.

Using DNS internally and then relying on host names for authentication makes you vulnerable to an intruder who can install a lying DNS server. This can be handled by a combination of methods, including:

  • Using IP addresses (rather than hostnames) for authentication on services that need to be more secure.

  • Authenticating users instead of hosts on the most secure services, because IP addresses can also be spoofed.

Some sites use Sun's Network Information Service, formerly known as Yellow Pages ( NIS/YP ) to distribute hostname information internally. It is not necessary to do this: you can use DNS clients instead on any platform that supports NIS/YP ; but it may be more convenient for configuring your internal machines. It is certainly neither necessary nor advisable to provide NIS/YP service to external machines. NIS/YP is designed to administer a single site, not to exchange information between sites, and it is highly insecure. For example, it would not be possible to provide your host information to external sites via NIS/YP without also providing your password file, if both are available internally.

Previous: 2.8 Real-Time Conferencing Services Building Internet Firewalls Next: 2.10 Network Management Services
2.8 Real-Time Conferencing Services Book Index 2.10 Network Management Services