Re: [Full-disclosure] Reverse dns
From: Danny (nocmonkey_at_gmail.com)
Date: 03/10/05
- Previous message: Todd Towles: "RE: [Full-disclosure] US pres election was hacked away byDumbya&cabal."
- In reply to: Paul Schmehl: "Re: [Full-disclosure] Reverse dns"
- Next in thread: TheGesus: "[Full-disclosure] Re: Reverse dns (whether you want it or not)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Mar 2005 16:03:34 -0500 To: Paul Schmehl <pauls@utdallas.edu>
On Thu, 10 Mar 2005 11:30:51 -0600, Paul Schmehl <pauls@utdallas.edu> wrote:
> --On Thursday, March 10, 2005 10:39:38 AM -0600 Duo
> <duo@digitalarcadia.net> wrote:
> >
> > Strictly speaking, this may or may not help you. It would help if you
> > would describe the scenario/situation you are in. I could comment
> > further, but without a bit more specific information, I dont feel I can
> > comment properly.
> >
> I'd prefer not to give details. I'll give you this much. We're having a
> philosophical disagreement about the value of disallowing reverse dns for
> hosts on our network.
Internet/externally accessible IP devices, I believe, should be
configured with reverse DNS.
As for hosts on your LAN, they should not be accessible from the
Internet/external & untrusted networks, therefore, only you will know
what is best for your internal network. For us, we use reverse DNS on
all of our hosts for proper Active Directory operation and basic
troubleshooting.
> It's the ancient security by obscurity discussion.
How does your security posture gain an advantage or decrease your risk
to attack if you were to disable reverse DNS?
> My concern is that we should not disable dns when (or if) it's required.
RFC's exist for a reason; go with your gut feeling and do not disable
RDNS where it is recommended.
> Obviously we would not disable it for the MX hosts, but I'm unclear what
> (if anything) the RFC requirements are. Absent any requirements, there's
> not cogent argument for *not* doing it, with the aforementioned exceptions.
You cannot go wrong by following the recommendations (in addition to
the requirements) outlined by the related RFC's.
> Hopefully that clarifies it a bit.
>
> Some questions that come to mind - what, if anything, is the consequence of
> disabling reverse lookups for your NS servers? For web servers? For other
> services? For workstations? Etc., etc.
Test and find out.
In the least, servers should have RDNS setup. As for the rest of your
IP devices, it depends on your network - I don't know what you have
setup or what software you have installed that may require RDNS. Test
it and find out.
...D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
- Previous message: Todd Towles: "RE: [Full-disclosure] US pres election was hacked away byDumbya&cabal."
- In reply to: Paul Schmehl: "Re: [Full-disclosure] Reverse dns"
- Next in thread: TheGesus: "[Full-disclosure] Re: Reverse dns (whether you want it or not)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
