Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reverse dns

From: <derek () durski net>
Date: Thu, 10 Mar 2005 18:22:02 +0100

Reverse DNS lookups are entirely optional; this option exists at the
sole discretion of the DNS operators.  Reference RFC1035, section 6.4
for specifics.

In spite of numerous updates to this RFC since its release in 1987
(including an update that obsoleted the original protocol for inverse
lookups), there does not seem to be a change that makes reverse lookups
a requirement for DNS.  My look through the documentation was cursory
though; you may want to browse the RFC index compiled at
http://rfc.net/rfc-index.html to see if any of the updates to 1035 have
in fact mandated reverse lookups.

All things considered, I would not disable it because of the two reasons
you mentioned previously.  In addition, spam blacklisting and any of
the new antispam technology that may be implemented on the ISP level
require reverse lookups in order to be utilized.

If you believe reverse DNS is a security or performance issue for your
DNS machines, perhaps a whitelist/blacklist could be implemented to
filter out problem hosts.  In many situations (even outside of
computing), an accurate list of authorized personnel (or hosts) can
alleviate 90% of the original problem while introducing a fraction of
the issues caused by completing banning or disabling a particular
function.

That said, it may be advisable to disable reverse DNS lookups on your
own servers and/or remove reverse DNS entries for some hosts on your
network from the published DNS registry if there is no valuable reason
for someone to obtain that information.  This, of course, depends on
the purpose of the machines; it would probably be extremely unwise to
do this for email or secure web servers since those cases generally
require reverse lookups.

I didn't think reverse lookups were a problem with TCPdump.  If this is
the underlying problem that prompted the question about reverse DNS,
you could either (a) patch TCPdump, or (b) configure your DNS machines
to spit back dummy results when the actual response from your upstream
DNS indicates there is no record.  The dummy results should solve that
particular problem (in addition to being easy to locate in the logfiles
in case you're concerned with these unreversible hosts for some
reason).

-----
Derek Durski
derek () durski net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: