Welcome to the VanDyke Software Forums

Join the discussion today!

Go Back   VanDyke Software Forums > General


Thread Tools Display Modes
Old 07-26-2019, 02:07 AM
dverbern dverbern is offline
Registered User
Join Date: Mar 2019
Posts: 31
Connection Filter, Hostnames vs IPs

I'm sorry if this subject has been discussed at length and I'm happy to be forwarded to a link where this has happened.

The Networks team at my company, with whom I liaise frequently on Change Requests to get various IPs/hosts added to our firewall rules to communicate with our Secure FTP servers (running VShell!), have recently made it clear that they much prefer to work with hostnames over IP addresses as the hostnames are much easier to maintain and less likely to change than individual IPs.

Looking at the Connection Filter settings in VShell, I'm tempted to go a similar route and translate the existing 3rd party IP entries to hostnames where I have the ability on the Windows box to reverse-lookup those IPs to hostnames.

However, over the last few days I encountered a situation with a 3rd party that could not connect to us and the issue seems to have been that the Connection Filter rule I had created was for their hostname, a hostname that I had obtained by doing a reverse-lookup (PING -A) of their IP they were connecting from. (I figured that if their traffic is coming from that IP and the Windows box can reverse-lookup that IP to hostname X, then allowing hostname X should allow their traffic. I've had to revert to IP to allow this particular party. I've checked HOSTS, LMHOSTS for any old-fashioned Windows network shenanigins and nothing there. So I'm wondering - should we try to resolve to hostnames over IPs in the Connection Filter where possible? Is there any gotchyas or rules we should be aware of?
Reply With Quote
Old 07-26-2019, 02:04 PM
bgagnon bgagnon is offline
VanDyke Technical Support
Join Date: Oct 2008
Posts: 4,636
Hi dverbern,

When a hostname is used for a connection filter, VShell performs a reverse DNS lookup on the incoming IP address.

As in the situation you saw, if the lookup fails, the connection will be denied.

I would be hesitant to speculate why the reverse DNS lookup of your 3rd party's hostname failed. But, simply the fact that it *can* fail might be a factor in your decision.

However, relying on a hostname (rather than IP) can be problematic both from a reliability and from a security standpoint (DNS spoofing, etc.).

If possible, we would recommend using IP addresses in connection filters.

VanDyke Software
Technical Support
(505) 332-5730
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -6. The time now is 08:00 AM.