Full Disclosure mailing list archives
Re: Reverse dns
From: Duo <duo () digitalarcadia net>
Date: Thu, 10 Mar 2005 13:08:50 -0600 (CST)
On Thu, 10 Mar 2005, Paul Schmehl wrote:
--On Thursday, March 10, 2005 10:39:38 AM -0600 Duo <duo () digitalarcadia net> wrote:I'd prefer not to give details. I'll give you this much. We're having a philosophical disagreement about the value of disallowing reverse dns for hosts on our network. It's the ancient security by obscurity discussion.Strictly speaking, this may or may not help you. It would help if you would describe the scenario/situation you are in. I could comment further, but without a bit more specific information, I dont feel I can comment properly.
Ahhhh a religious conflict. =)
My concern is that we should not disable dns when (or if) it's required. Obviously we would not disable it for the MX hosts, but I'm unclear what (if anything) the RFC requirements are. Absent any requirements, there's not cogent argument for *not* doing it, with the aforementioned exceptions.
Well, FWIW, I leave reverse on DNS for everything. Especially also for apache. Frequently, I get bots that ignore/bypass robots.txt, in search of rich fields to harvest. I have noticed that alot of them like to play little DNS games. Having the resolver work already done, if possible, is beneficial, as far as im concerned.
I can't honestly see a reason *why* you would want to turn off reverse lookups. I agree with the other responses, its a best practice, and should be adhered to, unless there is a very good and specific reason not to. One such reason off the top of my head, generally speaking, is if a condition could occur where a resolver is forced into some kind of DoS attack, or some set of criteria exists that could lock things. But, these things are rare, and, typically fixed quickly on the UNIX side.
On the windows side, well, considering it just came out that the LAND attack is still feasable on XP, after all these years...and you get the idea.
Hopefully that clarifies it a bit.
A little. =)
Some questions that come to mind - what, if anything, is the consequence of disabling reverse lookups for your NS servers? For web servers? For other services? For workstations? Etc., etc.
Well, the first thing that comes to my mind is log completeness. Even if reverse lookup fails, a log record, and maybe some evidence as to why it failed, can be useful. This can be especially important with mail and web servers.
-- Duo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Vincent Archer (Mar 10)
- Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Duo (Mar 10)
- Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Duo (Mar 10)
- Re: Reverse dns Danny (Mar 10)
- Re: Reverse dns (whether you want it or not) TheGesus (Mar 10)
- RE: Re: Reverse dns (whether you want it or not) Edward Ray (Mar 11)
- Re: Reverse dns (whether you want it or not) Dave Korn (Mar 11)
- Re: Re: Reverse dns (whether you want it or not) Danny (Mar 11)
- Re: Reverse dns Paul Schmehl (Mar 10)
- Re: Reverse dns Valdis . Kletnieks (Mar 11)
- Re: Reverse dns Simon Biles (Mar 11)
- Re: Reverse dns Vincent Archer (Mar 10)