Full Disclosure mailing list archives
Re: Reverse dns
From: <derek () durski net>
Date: Thu, 10 Mar 2005 18:22:02 +0100
Reverse DNS lookups are entirely optional; this option exists at the sole discretion of the DNS operators. Reference RFC1035, section 6.4 for specifics. In spite of numerous updates to this RFC since its release in 1987 (including an update that obsoleted the original protocol for inverse lookups), there does not seem to be a change that makes reverse lookups a requirement for DNS. My look through the documentation was cursory though; you may want to browse the RFC index compiled at http://rfc.net/rfc-index.html to see if any of the updates to 1035 have in fact mandated reverse lookups. All things considered, I would not disable it because of the two reasons you mentioned previously. In addition, spam blacklisting and any of the new antispam technology that may be implemented on the ISP level require reverse lookups in order to be utilized. If you believe reverse DNS is a security or performance issue for your DNS machines, perhaps a whitelist/blacklist could be implemented to filter out problem hosts. In many situations (even outside of computing), an accurate list of authorized personnel (or hosts) can alleviate 90% of the original problem while introducing a fraction of the issues caused by completing banning or disabling a particular function. That said, it may be advisable to disable reverse DNS lookups on your own servers and/or remove reverse DNS entries for some hosts on your network from the published DNS registry if there is no valuable reason for someone to obtain that information. This, of course, depends on the purpose of the machines; it would probably be extremely unwise to do this for email or secure web servers since those cases generally require reverse lookups. I didn't think reverse lookups were a problem with TCPdump. If this is the underlying problem that prompted the question about reverse DNS, you could either (a) patch TCPdump, or (b) configure your DNS machines to spit back dummy results when the actual response from your upstream DNS indicates there is no record. The dummy results should solve that particular problem (in addition to being easy to locate in the logfiles in case you're concerned with these unreversible hosts for some reason). ----- Derek Durski derek () durski net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Re: Reverse dns, (continued)
- Re: Reverse dns Andrei Zlate-Podani (Mar 10)
- Re: Reverse dns Valdis . Kletnieks (Mar 10)
- Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Valdis . Kletnieks (Mar 11)
- Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Security - AlaricoWebDesign.it (Mar 10)
- Re: Reverse dns Pete Hickey (Mar 10)
- Re: Reverse dns Ben McGinnes (Mar 11)
- RE: Reverse dns Mike Ring (Mar 10)
- RE: Reverse dns Dale Babiy (Mar 10)
- RE: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns derek (Mar 10)
- RE: Reverse dns Andriy Bilous (Mar 11)