Re: Reverse DNS Names and IP Addresses

[James Cooley <jcooley () FIT EDU>]

Terence,

That is a good observation, and I believe it is very wise to question such practices.

The information that can be gathered just by looking through the reverse DNS of some institutions can be extremely 
dangerous in the hands of certain people.  The information in DNS might not seem to be important as long as an 
organization is only facing threats from script kiddies and automated attacks.  However, information gathered from DNS 
and other public sources can be combined to plan a potentially effective attack against an institution through a 
process known as 'footprinting'.   Footprinting involves the use of public services and easily accessible information 
to identify the infrastructure setup and possible avenues of attack of an organization.

For example, having DNS entries such as 'president.institutionname.edu' or 'controller.institutionname.edu' signal to 
an attacker that those hosts could be promising targets.  Pair that information with an online staff directory, and you 
might be able to determine possible user accounts on those machines.  Look at an institution's policies, or the 
newsgroup postings of IT staff, and you might be able to discover additional potential areas for attack.   Some of 
these include information on the university's ERP system, information regarding what ports and services are publicly 
available, the mail system the organization might be using, what the standard anti-virus software is, what manufacturer 
is used for network or security infrastructure and so forth.   Although this information all sounds benign, in the 
hands of a sophisticated attacker it paints a fairly good roadmap as to what vulnerabilities the institution might 
have, and ways to evade detection from IT staff.

One good exercise is to take a look and try to figure out a plan of attack for your own institution by ignoring what 
you already know about your infrastructure and relying completely on publicly available information.  Don't discount 
the information that an individual can easily find out by calling your tech support personnel and asking questions.   
If your tech support asks for the identity of the caller before providing information, is the information contained in 
the public staff directory enough to get past that process?  By using the information gathered from such an exercise, 
you can identify possible attack points in your infrastructure or take actions to hide some information that might not 
need to be publicly available.

Never underestimate the power of Google, and your own institution's web site.


Some possible methods to ensure DNS doesn't reveal too much information include the following:

Use DHCP to assign dynamic addresses, and keep logs for your own correlation between user/MAC address and IP address.

Make the DNS entries assigned through DHCP non-identifying.   For example, for ip address 192.168.1.1, you could use 
something such as host1-1.institutionname.edu.

Avoid using perfectly descriptive names for servers and devices wherever possible.  For example, avoid setting the DNS 
name for your firewall to firewall.insititutioname.edu.



In some cases, descriptive names are ok - particularly if it's a service that needs to be publicly identified anyways 
such as front-facing mail servers, or web servers.

--
James Cooley
Information Security Officer
Florida Institute of Technology

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Terence 
Ma
Sent: Sunday, August 02, 2009 11:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Reverse DNS Names and IP Addresses

Sorry for the cross-post. It was suggested that I would get a better response here on the Security mailing list. 
Thanks! Tere

From: Terence Ma
Sent: Sunday, August 02, 2009 7:47 PM
To: The EDUCAUSE CIO Constituent Group Listserv
Subject: Reverse DNS Names and IP Addresses

Dear All:

In lieu of roller coaster rides (on which I do poorly), I think that an equally frightening and devastating experience 
is attending Defcon (my first this year).

One of the talks this weekend brought up a few very interesting questions to me. (It should be noted that the speakers 
were very complimentary about their institution's IT and IT's willingness and cooperation in working on this issue.)

Apparently, at 60+ institutions in the US, DNS names are assigned to machines on the network based on user credentials. 
Apparently, many of these institutions assign [firstname]-[lastname].[campus-network].[institution].edu to 
semi-permanent IP addresses, which are then assigned to the user. In the case of some of these institutions, the 
"campus-network" might be something like "dorm" or "wireless". Additionally, at many of these institutions, the user 
(employee or student) has to authenticate once and then their MAC address is associated with their account, DNS name, 
and IP address. So that in the future, when a machine attaches to the network with the known MAC address, it is 
assigned access to the appropriate account, DNS name, IP address, and network privileges. I believe I heard that at 
many of these institutions, the network username is [firstname].[lastname] and the email address is 
[firstname].[lastname]@[institution].edu.

As a somewhat newbie to being a CIO (two years and counting), I was wondering whether this practice is truly this 
common? It seems that there are potential FERPA issues, security issues, as well as other privacy issues. Additionally, 
how does one protect against a spoofed MAC address (obtained from sniffing by a non-University person)?

One of the people in the QA session indicated that their University spent a lot of money so that all users had 
semi-permanent public IP addresses - something recommended strongly from legal to IT. Is this also a common practice?

Thank you in advance for satisfying my curiosity.

Sincerely, Tere

--
Terence P. Ma, Ph.D.
Chief Information Officer
Touro University Nevada
874 American Pacific Dr.
Henderson, NV 89014, USA
Ph: 702-777-1805
Fx: 702-777-1736
Mb: 702-469-1770
Em: terence.ma () tun touro edu