[olug] Help w/ my server
Christopher Cashell
topher-olug at zyp.org
Mon Jul 23 22:08:18 UTC 2012
On Mon, Jul 23, 2012 at 4:51 PM, Kevin <sharpestmarble at gmail.com> wrote:
> The Way Things Should Be: DNS would have another record, something
> like PORT, which has a number and a text description. When an end user
> goes to a site, the system does a lookup for that service along with
> its lookup for the IP. Something like IP/port. You would get the
> IP(127.0.0.1 back with the port that you should use(8080), and if the
> port lookup fails, then you would use the service default(80). This
> way you could get around port blocks. But I don't believe it works
> this way; DNS was set up(IIRC) when firewalls were "allow and
> selectively block" rather than the current "block and selectively
> allow". This would also allow you to host multiple services of the
> same type on a single physical host, thus allowing one IP to host
> multiple secure websites(something that has only "somewhat recently"
> come out with TLS 1.0(?).
That would add a lot of additional complexity to all of DNS (along
with most applicatons, which would then have to handle the additional
logic) for a few select cases. Most protocols already have well known
port assignments, and most also support a method for specifying an
alternate port. Keeping DNS simple and separate (considering that the
entire Internet is built on DNS, keeping it simple and reliable is a
Very Good Thing) makes sense. Additionally, remember that there are
some protocols that don't use ports, or work in different ways.
Regarding TLS/SSL, that has more to do with the TLS protocol and
specification than with DNS. TLS was designed to a be a complete
wrapper around a different protocol. Many (most?) protocols don't
have a concept of a hostname like HTTP does. Because TLS/SSL is
protocol-agnostic, the client has no way of specifying what hostname
it's looking for (that happens later, for HTTP).
There are other protocols that work differently, such as LDAP (and
SMTP, POP3/IMAP, XMPP, etc). They work by first initiating a
connection to the server, and then issuing a special command
(StartTLS) to "upgrade" the connection to a secure connection. This
allows encrypted or unencrypted communication over the same port.
--
Christopher
More information about the OLUG
mailing list