Re: [Full-disclosure] Reverse dns

From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 03/10/05

Next message: Paul Schmehl: "RE: [Full-disclosure] US pres election was hacked away by Dumbya&cabal."

Previous message: Security - AlaricoWebDesign.it: "Re: [Full-disclosure] Reverse dns"
In reply to: Duo: "Re: [Full-disclosure] Reverse dns"
Next in thread: Duo: "Re: [Full-disclosure] Reverse dns"
Reply: Duo: "Re: [Full-disclosure] Reverse dns"
Reply: Danny: "Re: [Full-disclosure] Reverse dns"
Reply: TheGesus: "[Full-disclosure] Re: Reverse dns (whether you want it or not)"
Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Reverse dns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 10 Mar 2005 11:30:51 -0600
To: full-disclosure@lists.grok.org.uk

--On Thursday, March 10, 2005 10:39:38 AM -0600 Duo
<duo@digitalarcadia.net> wrote:
>
> Strictly speaking, this may or may not help you. It would help if you
> would describe the scenario/situation you are in. I could comment
> further, but without a bit more specific information, I dont feel I can
> comment properly.
>
I'd prefer not to give details. I'll give you this much. We're having a
philosophical disagreement about the value of disallowing reverse dns for
hosts on our network. It's the ancient security by obscurity discussion.

My concern is that we should not disable dns when (or if) it's required.
Obviously we would not disable it for the MX hosts, but I'm unclear what
(if anything) the RFC requirements are. Absent any requirements, there's
not cogent argument for *not* doing it, with the aforementioned exceptions.

Hopefully that clarifies it a bit.

Some questions that come to mind - what, if anything, is the consequence of
disabling reverse lookups for your NS servers? For web servers? For other
services? For workstations? Etc., etc.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Next message: Paul Schmehl: "RE: [Full-disclosure] US pres election was hacked away by Dumbya&cabal."

Previous message: Security - AlaricoWebDesign.it: "Re: [Full-disclosure] Reverse dns"
In reply to: Duo: "Re: [Full-disclosure] Reverse dns"
Next in thread: Duo: "Re: [Full-disclosure] Reverse dns"
Reply: Duo: "Re: [Full-disclosure] Reverse dns"
Reply: Danny: "Re: [Full-disclosure] Reverse dns"
Reply: TheGesus: "[Full-disclosure] Re: Reverse dns (whether you want it or not)"
Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Reverse dns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

icmp filtering (was: ssh tunneling)
... i was aware that disabling ICMP ... This practice of trying to become invisible is known as "security ... Disabling this just makes the troubleshooting process awkward ... scanning as many hosts as possible and trying a known exploit against ...
(Debian-User)
Re: DNS lookup bypass HOSTS file
... The total 26 characters in FQDN. ... they are typos in my question but not in the actual HOSTS file. ... Tried disabling AV and restarting but not working. ...
(microsoft.public.windows.server.dns)
Re:
... ensure that "Anonymous Access" is disabled in IIS. ... Gaurav Vaish ... This works fine on one of my web servers but not on another. ... What configuration option could be disabling my ability ...
(microsoft.public.dotnet.framework.aspnet.security)
... This works fine on one of my web servers but not on another. ... What configuration option could be disabling my ability to ...
(microsoft.public.dotnet.framework.aspnet.security)