Re: [Full-disclosure] Reverse dns

From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 03/10/05

  • Next message: Paul Schmehl: "RE: [Full-disclosure] US pres election was hacked away by Dumbya&cabal."
    Date: Thu, 10 Mar 2005 11:30:51 -0600
    To: full-disclosure@lists.grok.org.uk
    
    

    --On Thursday, March 10, 2005 10:39:38 AM -0600 Duo
    <duo@digitalarcadia.net> wrote:
    >
    > Strictly speaking, this may or may not help you. It would help if you
    > would describe the scenario/situation you are in. I could comment
    > further, but without a bit more specific information, I dont feel I can
    > comment properly.
    >
    I'd prefer not to give details. I'll give you this much. We're having a
    philosophical disagreement about the value of disallowing reverse dns for
    hosts on our network. It's the ancient security by obscurity discussion.

    My concern is that we should not disable dns when (or if) it's required.
    Obviously we would not disable it for the MX hosts, but I'm unclear what
    (if anything) the RFC requirements are. Absent any requirements, there's
    not cogent argument for *not* doing it, with the aforementioned exceptions.

    Hopefully that clarifies it a bit.

    Some questions that come to mind - what, if anything, is the consequence of
    disabling reverse lookups for your NS servers? For web servers? For other
    services? For workstations? Etc., etc.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://www.secunia.com/


  • Next message: Paul Schmehl: "RE: [Full-disclosure] US pres election was hacked away by Dumbya&cabal."

    Relevant Pages

    • icmp filtering (was: ssh tunneling)
      ... i was aware that disabling ICMP ... This practice of trying to become invisible is known as "security ... Disabling this just makes the troubleshooting process awkward ... scanning as many hosts as possible and trying a known exploit against ...
      (Debian-User)
    • Re: DNS lookup bypass HOSTS file
      ... The total 26 characters in FQDN. ... they are typos in my question but not in the actual HOSTS file. ... Tried disabling AV and restarting but not working. ...
      (microsoft.public.windows.server.dns)
    • Re:
      ... ensure that "Anonymous Access" is disabled in IIS. ... Gaurav Vaish ... This works fine on one of my web servers but not on another. ... What configuration option could be disabling my ability ...
      (microsoft.public.dotnet.framework.aspnet.security)

    • ... This works fine on one of my web servers but not on another. ... What configuration option could be disabling my ability to ...
      (microsoft.public.dotnet.framework.aspnet.security)