Re: Reverse dns

[Valdis.Kletnieks () vt edu]

On Thu, 10 Mar 2005 11:30:51 CST, Paul Schmehl said:
 give details.  I'll give you this much.  We're having a 
> philosophical disagreement about the value of disallowing reverse dns for 
> hosts on our network.  It's the ancient security by obscurity discussion.
>
> My concern is that we should not disable dns when (or if) it's required. 
> Obviously we would not disable it for the MX hosts, but I'm unclear what 
> (if anything) the RFC requirements are.  Absent any requirements, there's 
> not cogent argument for *not* doing it, with the aforementioned exceptions.

The security via obscurity is very slim - remember that if they're looking for
the PTR entry, they *already* have the IP address..

One good reason to put the PTR out there is because it allows sanity-checking of
your DNS - if you have 'foo.example.com A 10.10.100.1', then there should be
a '1.100.10.10.in-addr.arpa PTR foo.example.com' to match.  If you fumble-finger
and get 'foo.example.com A 10.10.100.10', you can catch it because when you
look up the PTR, you find '10.100.10.10.in-addr.arpa PTR bar.example.com'.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/