Re: RE: application for an employment

[cwright () bdosyd com au]

See below - in response to your post and others.

Using a web server is NOT a port scan - in any manner. 

*public* internet addressing does not mean *public access*

Craig
-----Original Message----- 
From: Craig Wright 
Sent: Sat 1/04/2006 7:45 AM 
To: Ansgar -59cobalt- Wiechers; security-basics () securityfocus com 
Cc: 
Subject: How DNS works

Hello,

To alleviate some ignorance regarding the DNS process and public servers. 

1          DNS

DNS Servers are public if they are a part of the public domain hierarchy. This is NOT that they are on the Internet. 
This is NOT if anyone can connect to port 53 and use them.

DNS Servers are public if and ONLY if they have become an authorised part of the DNS infrastructure.

This is a contractual agreement. To connect a DNS Server to the hierarchy it needs to serve a domain. To do this the 
higher level domain server and your domain system have an agreement – a contract (and please contracts are not required 
to be written) which exists with implied rights and restraints as dictated by the Internet community and the standards 
associated with use and the various domain bodies.

How this works;

Say I want to register              ignorant.com

I have to go to a register and apply to register the domain (in this case with a .com authority). There are terms in 
the contract which is formed.

Thus the name servers which are listed in the application and thus in the DNS hierarchy are public.

If I stick a server -ex               ignorant.private

On the internet for the use of the Internal network, than this is PRIVATE. If it is secure of not has NO relevance to 
the status of being public or private – this is a separate issue.

2          Google and robots.txt

Web servers are placed on the Internet for a public function UNLESS there is a mechanism to control or restrict access 
(a password for example). Private servers do not need to be secure, but there needs to be “some” attempt to restrict 
access (VERY lame attempts included)

There is an applied contractual agreement for public use of the site made by the act of placing the data as a public 
site. This is dictated by the standards associated with the protocol. – see RFC’s and standards for details.

“robots.txt” is a valid part of the standard.

Google does not scan the internet for IP addresses that have port 80 open. It does not scan to see if web servers are 
available on other ports. It links from other sites. This is the purpose of the web. 

Regards

Craig

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------