Full Disclosure mailing list archives
Re: Reverse dns
From: Danny <nocmonkey () gmail com>
Date: Thu, 10 Mar 2005 16:03:34 -0500
On Thu, 10 Mar 2005 11:30:51 -0600, Paul Schmehl <pauls () utdallas edu> wrote:
--On Thursday, March 10, 2005 10:39:38 AM -0600 Duo <duo () digitalarcadia net> wrote:Strictly speaking, this may or may not help you. It would help if you would describe the scenario/situation you are in. I could comment further, but without a bit more specific information, I dont feel I can comment properly.I'd prefer not to give details. I'll give you this much. We're having a philosophical disagreement about the value of disallowing reverse dns for hosts on our network.
Internet/externally accessible IP devices, I believe, should be configured with reverse DNS. As for hosts on your LAN, they should not be accessible from the Internet/external & untrusted networks, therefore, only you will know what is best for your internal network. For us, we use reverse DNS on all of our hosts for proper Active Directory operation and basic troubleshooting.
It's the ancient security by obscurity discussion.
How does your security posture gain an advantage or decrease your risk to attack if you were to disable reverse DNS?
My concern is that we should not disable dns when (or if) it's required.
RFC's exist for a reason; go with your gut feeling and do not disable RDNS where it is recommended.
Obviously we would not disable it for the MX hosts, but I'm unclear what (if anything) the RFC requirements are. Absent any requirements, there's not cogent argument for *not* doing it, with the aforementioned exceptions.
You cannot go wrong by following the recommendations (in addition to the requirements) outlined by the related RFC's.
Hopefully that clarifies it a bit. Some questions that come to mind - what, if anything, is the consequence of disabling reverse lookups for your NS servers? For web servers? For other services? For workstations? Etc., etc.
Test and find out. In the least, servers should have RDNS setup. As for the rest of your IP devices, it depends on your network - I don't know what you have setup or what software you have installed that may require RDNS. Test it and find out. ...D _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Vincent Archer (Mar 10)
- Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Duo (Mar 10)
- Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Duo (Mar 10)
- Re: Reverse dns Danny (Mar 10)
- Re: Reverse dns (whether you want it or not) TheGesus (Mar 10)
- RE: Re: Reverse dns (whether you want it or not) Edward Ray (Mar 11)
- Re: Reverse dns (whether you want it or not) Dave Korn (Mar 11)
- Re: Re: Reverse dns (whether you want it or not) Danny (Mar 11)
- Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Valdis . Kletnieks (Mar 11)
- Re: Reverse dns Simon Biles (Mar 11)
- Re: Reverse dns Vincent Archer (Mar 10)