• DNS host mapping

    From Mike Landis@21:1/5 to All on Sat Oct 16 20:11:28 2021
    I have a local (192.168.0.xxx) machine that I can successfully access over
    the local network via Putty (without Kerberos) and MobaXterm. I've added
    an alias for the target machine to the Windows etc/hosts file (which successfully facilitates pings to it by name) and added an entry for that machine in my router's DNS Host Mapping index (which had no effect on
    anything that I'm aware of). I own the domain 3c58.com (which is routable
    on the Internet, so I named the local machine Level10.3c58.com. I'd like kerberos to create tickets for that machine, but I have run out of ideas on
    how to get that to happen under present circumstances. Is there some way
    to convince Kerberos to look at the hosts file on windows or somehow tap
    the router's domain name server? Is this behavior a bug or intended
    security behavior?

    Thanks, Mike Landis

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Mike Landis on Sun Oct 17 13:48:23 2021
    Copy: kerberos@mit.edu

    I own the domain 3c58.com (which is routable
    on the Internet, so I named the local machine Level10.3c58.com. I'd like >kerberos to create tickets for that machine, but I have run out of ideas on >how to get that to happen under present circumstances. Is there some way
    to convince Kerberos to look at the hosts file on windows or somehow tap
    the router's domain name server? Is this behavior a bug or intended
    security behavior?

    There are a couple of details here that matter.

    - Which Kerberos implementation you are using
    - Which APPLICATIONS you are using
    - How it is configured
    - The reverse DNS records

    Let's say you're using MIT Kerberos. Again, details matter here. What
    is the implementation of the Kerberos KDC? If it is a Unix-based
    KDC, you should have access to the logs.

    _Depending on how you have things configured_, the client side Kerberos implementation may just try to canonicalize the name based on the
    forward DNS, _or_ it may also try the reverse DNS. At least for MIT
    Kerberos, it calls the standard operating system calls to perform those
    DNS lookups. But again the details matter; those MAY consult the local
    host file, it may not. Your best best is to look at the KDC logs to
    determine what name it is trying to look up, and go from there.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)