Full Disclosure mailing list archives

Re: Reverse dns

From: Danny <nocmonkey () gmail com>
Date: Thu, 10 Mar 2005 16:03:34 -0500

On Thu, 10 Mar 2005 11:30:51 -0600, Paul Schmehl <pauls () utdallas edu> wrote:

--On Thursday, March 10, 2005 10:39:38 AM -0600 Duo
<duo () digitalarcadia net> wrote:


Strictly speaking, this may or may not help you. It would help if you
would describe the scenario/situation you are in. I could comment
further, but without a bit more specific information, I dont feel I can
comment properly.

I'd prefer not to give details.  I'll give you this much.  We're having a
philosophical disagreement about the value of disallowing reverse dns for
hosts on our network.


Internet/externally accessible IP devices, I believe, should be
configured with reverse DNS.
As for hosts on your LAN, they should not be accessible from the
Internet/external & untrusted networks, therefore, only you will know
what is best for your internal network.  For us, we use reverse DNS on
all of our hosts for proper Active Directory operation and basic
troubleshooting.

It's the ancient security by obscurity discussion.


How does your security posture gain an advantage or decrease your risk
to attack if you were to disable reverse DNS?

My concern is that we should not disable dns when (or if) it's required.


RFC's exist for a reason; go with your gut feeling and do not disable
RDNS where it is recommended.

Obviously we would not disable it for the MX hosts, but I'm unclear what
(if anything) the RFC requirements are.  Absent any requirements, there's
not cogent argument for *not* doing it, with the aforementioned exceptions.


You cannot go wrong by following the recommendations (in addition to
the requirements) outlined by the related RFC's.

Hopefully that clarifies it a bit.

Some questions that come to mind - what, if anything, is the consequence of
disabling reverse lookups for your NS servers?  For web servers?  For other
services?  For workstations?  Etc., etc.


Test and find out.

In the least, servers should have RDNS setup.  As for the rest of your
IP devices, it depends on your network - I don't know what you have
setup or what software you have installed that may require RDNS. Test
it and find out.

...D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Vincent Archer (Mar 10)
  - Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Duo (Mar 10)
  - Re: Reverse dns Paul Schmehl (Mar 10)
    - Re: Reverse dns Duo (Mar 10)
    - Re: Reverse dns Danny (Mar 10)
    - Re: Reverse dns (whether you want it or not) TheGesus (Mar 10)
    - RE: Re: Reverse dns (whether you want it or not) Edward Ray (Mar 11)
    - Re: Reverse dns (whether you want it or not) Dave Korn (Mar 11)
    - Re: Re: Reverse dns (whether you want it or not) Danny (Mar 11)
    - Re: Reverse dns Valdis . Kletnieks (Mar 11)
    - Re: Reverse dns Simon Biles (Mar 11)
- Re: Reverse dns Danny (Mar 10)
- RE: Reverse dns Edward Ray (Mar 10)
- Re: Reverse dns Andrei Zlate-Podani (Mar 10)
- Re: Reverse dns Valdis . Kletnieks (Mar 10)

(Thread continues...)