Michael Ströder wrote:
Florian Weimer wrote:
- Michael Ströder:
Hmm, I will drop it since the same functionality can be easily achieved on this platform by using local kernel firewall.
The DNS-based access rules are not available as part of the kernel firewall.
Good point.
For some odd reasons, a lot of people think this tcpwrappers feature is insecure,
Me too. ;-)
but it seems a rather convenient way to get *additional* security in cases where you have proper reverse lookup (with matching forward lookup) and fragmented address space that does not lend itself easily to writing access rules.
But it adds two additional DNS lookups to the game.
I also use dnsmasq everywhere these days. Wouldn't dream of using a non-cached DNS resolver.
(And btw, dnsmasq supports DNSSEC.)