Educause Security Discussion mailing list archives

Re: Domain Name Database and Bulldog Firewall

From: Ted Frohling - NTS <tsf () MS TELCOM ARIZONA EDU>
Date: Thu, 4 May 2006 15:25:34 -0700

Mark Wilson wrote:

I realize this is publically available information anyone can harvest.
My concern is now the information is even more public and accessible.
Some useful information (to a hacker) can be inferred from a DNS name.


Well yes, let's see.

tsf@opus:~$ host auburn.edu
auburn.edu has address 131.204.2.251
auburn.edu mail is handled by 10 im4.duc.auburn.edu.
auburn.edu mail is handled by 10 im1.duc.auburn.edu.
auburn.edu mail is handled by 10 im2.duc.auburn.edu.
auburn.edu mail is handled by 10 im3.duc.auburn.edu.
tsf@opus:~$ host 131.204.2.250
Host 250.2.204.131.in-addr.arpa not found: 3(NXDOMAIN)
tsf@opus:~$ host 131.204.2.249
Host 249.2.204.131.in-addr.arpa not found: 3(NXDOMAIN)
tsf@opus:~$ host 131.204.2.252
Host 252.2.204.131.in-addr.arpa not found: 3(NXDOMAIN)
tsf@opus:~$ host 131.204.2.1
Host 1.2.204.131.in-addr.arpa not found: 3(NXDOMAIN)
tsf@opus:~$ host 131.204.2.2
2.2.204.131.in-addr.arpa domain name pointer d1.duc.auburn.edu.

What can I glean from duc.auburn.edu.  Actually, don't know,
but I bet by looking at your web pages, I will find a wealth
of information that could be useful.

The point is, this _is_ way the internet works.

Now what's really scary is the penchant for county, state and
city governments putting their property information on the web,
using GIS so that I might be able to go to some Lee County
web site and with your name find out where you live, what your
house is worth, how much you paid in taxes, find out what your
neighbors paid and how close you are to them with the escape
routes from a nice aerial view when I want to do you harm.

ted

amesbury () OITSEC UMN EDU 05/04/06 1:08 PM >>>

Mark Wilson wrote:

This is interesting and a bit concerning...
http://tanaya.net/dns/


It looks like it's DNS data and, from the very small sample I've
examined, not entirely accurate data at that.  My guess is that it
hasn't been updated in a while.

The interesting part is the fact that some RFC1918 address space
(specifically 172.16.63.x) is included, suggesting that someone's
RFC1918 address traffic is leaking to where it shouldn't be.  Guess
those egress filters aren't working quite as expected.  :-)

Anyway, since this appears to be information pretty much anyone could
compile over time, not to mention the fact that it's DNS lookups, what
about it is cause for concern?


--
Alan Amesbury
University of Minnesota



--
    Ted Frohling (TF30-ARIN)                   The University of Arizona
    520.621.4834              Assistant Director           CCIT Room 114
    tsf-at-Arizona-dot-EDU Network Technology Solutions    PO Box 210073
    www.Telcom.Arizona.EDU/tsf                     Tucson, AZ 85721-0073

Current thread:

Domain Name Database and Bulldog Firewall Mark Wilson (May 04)
- <Possible follow-ups>
- Re: Domain Name Database and Bulldog Firewall Alan Amesbury (May 04)
- Re: Domain Name Database and Bulldog Firewall Graham Toal (May 04)
- Re: Domain Name Database and Bulldog Firewall Mark Wilson (May 04)
- Re: Domain Name Database and Bulldog Firewall Graham Toal (May 04)
- Re: Domain Name Database and Bulldog Firewall Ted Frohling - NTS (May 04)
- Re: Domain Name Database and Bulldog Firewall Jeni Li (May 04)
- Re: Domain Name Database and Bulldog Firewall Cal Frye (May 04)
- Re: Domain Name Database and Bulldog Firewall Gary Flynn (May 05)