Educause Security Discussion mailing list archives
Re: Reverse DNS Names and IP Addresses
From: James Cooley <jcooley () FIT EDU>
Date: Mon, 3 Aug 2009 00:23:34 -0400
Terence, That is a good observation, and I believe it is very wise to question such practices. The information that can be gathered just by looking through the reverse DNS of some institutions can be extremely dangerous in the hands of certain people. The information in DNS might not seem to be important as long as an organization is only facing threats from script kiddies and automated attacks. However, information gathered from DNS and other public sources can be combined to plan a potentially effective attack against an institution through a process known as 'footprinting'. Footprinting involves the use of public services and easily accessible information to identify the infrastructure setup and possible avenues of attack of an organization. For example, having DNS entries such as 'president.institutionname.edu' or 'controller.institutionname.edu' signal to an attacker that those hosts could be promising targets. Pair that information with an online staff directory, and you might be able to determine possible user accounts on those machines. Look at an institution's policies, or the newsgroup postings of IT staff, and you might be able to discover additional potential areas for attack. Some of these include information on the university's ERP system, information regarding what ports and services are publicly available, the mail system the organization might be using, what the standard anti-virus software is, what manufacturer is used for network or security infrastructure and so forth. Although this information all sounds benign, in the hands of a sophisticated attacker it paints a fairly good roadmap as to what vulnerabilities the institution might have, and ways to evade detection from IT staff. One good exercise is to take a look and try to figure out a plan of attack for your own institution by ignoring what you already know about your infrastructure and relying completely on publicly available information. Don't discount the information that an individual can easily find out by calling your tech support personnel and asking questions. If your tech support asks for the identity of the caller before providing information, is the information contained in the public staff directory enough to get past that process? By using the information gathered from such an exercise, you can identify possible attack points in your infrastructure or take actions to hide some information that might not need to be publicly available. Never underestimate the power of Google, and your own institution's web site. Some possible methods to ensure DNS doesn't reveal too much information include the following: Use DHCP to assign dynamic addresses, and keep logs for your own correlation between user/MAC address and IP address. Make the DNS entries assigned through DHCP non-identifying. For example, for ip address 192.168.1.1, you could use something such as host1-1.institutionname.edu. Avoid using perfectly descriptive names for servers and devices wherever possible. For example, avoid setting the DNS name for your firewall to firewall.insititutioname.edu. In some cases, descriptive names are ok - particularly if it's a service that needs to be publicly identified anyways such as front-facing mail servers, or web servers. -- James Cooley Information Security Officer Florida Institute of Technology From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Terence Ma Sent: Sunday, August 02, 2009 11:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Reverse DNS Names and IP Addresses Sorry for the cross-post. It was suggested that I would get a better response here on the Security mailing list. Thanks! Tere From: Terence Ma Sent: Sunday, August 02, 2009 7:47 PM To: The EDUCAUSE CIO Constituent Group Listserv Subject: Reverse DNS Names and IP Addresses Dear All: In lieu of roller coaster rides (on which I do poorly), I think that an equally frightening and devastating experience is attending Defcon (my first this year). One of the talks this weekend brought up a few very interesting questions to me. (It should be noted that the speakers were very complimentary about their institution's IT and IT's willingness and cooperation in working on this issue.) Apparently, at 60+ institutions in the US, DNS names are assigned to machines on the network based on user credentials. Apparently, many of these institutions assign [firstname]-[lastname].[campus-network].[institution].edu to semi-permanent IP addresses, which are then assigned to the user. In the case of some of these institutions, the "campus-network" might be something like "dorm" or "wireless". Additionally, at many of these institutions, the user (employee or student) has to authenticate once and then their MAC address is associated with their account, DNS name, and IP address. So that in the future, when a machine attaches to the network with the known MAC address, it is assigned access to the appropriate account, DNS name, IP address, and network privileges. I believe I heard that at many of these institutions, the network username is [firstname].[lastname] and the email address is [firstname].[lastname]@[institution].edu. As a somewhat newbie to being a CIO (two years and counting), I was wondering whether this practice is truly this common? It seems that there are potential FERPA issues, security issues, as well as other privacy issues. Additionally, how does one protect against a spoofed MAC address (obtained from sniffing by a non-University person)? One of the people in the QA session indicated that their University spent a lot of money so that all users had semi-permanent public IP addresses - something recommended strongly from legal to IT. Is this also a common practice? Thank you in advance for satisfying my curiosity. Sincerely, Tere -- Terence P. Ma, Ph.D. Chief Information Officer Touro University Nevada 874 American Pacific Dr. Henderson, NV 89014, USA Ph: 702-777-1805 Fx: 702-777-1736 Mb: 702-469-1770 Em: terence.ma () tun touro edu
Current thread:
- Reverse DNS Names and IP Addresses Terence Ma (Aug 02)
- <Possible follow-ups>
- Re: Reverse DNS Names and IP Addresses James Cooley (Aug 02)