Random act of management

Mon Jun 3 15:40:17 UTC 2002

psycho <psycho at internet.com> wrote:
> Ok I'm a bit of a newbie really.
> So far all I've ever really done on my dns server is to setup a domain name
> on it, make it the SOA, create the zone file for this domain name and the
> reverse lookup entry for it. Oh and of course switch off recursion.

> In my place of work however the reverse lookup is not setup for any machines
> behind our firewall on 192.168.x.x addresses. This obiously causes
> somethings like ssh problems when it tries a reverse map.

Yes. It might also create unnessecary loading in both your internet link and
on Internet nameserver.

> The management give the only reason for not setting up reverse dns properly
> that "it will make the network INSECURE and wode open to hackers and tell
> people what we have behind the firewall".

Your observation about Dilbert seems applicable here :-)  Your 
management either is dangerously negligent or they don't know what they
are talking about. 

> Now i'm begining to doubt my own knowledge of things like security and dns.
> I was under the impression that it would be possible restrict what could be
> queried so that public domain names could be queried by anyone like
> "domain.name.com" and private like "behind.firewall.domain name.com" could
> only be queried by say an internal DNS server or a specific ip range.

Correct, sometimes called "split-dns"

> Anyway in the hope of a better solution I have had to take the drastic
> measeure, which I hasten to add now regret, of reading through my "DILBERT"
> desk calander all the way to August 12th, but with no success can I find
> anything to aid my in quest to deal with these managers. I even tried saying
> "Setting up and IMPLAMENTING reverse dns properley will give us SYNERGIE".
> This did not work. I finished reading the joy of work last night but no help
> there. I'm going to town later today to purchase the O'reilly book, a move I
> suspect I should have done from the start.

> However my reason for this posting (at last, you say) is this.
> Am I missing something, is it really going to be less secure and can I not
> take steps to make this information accessible only to relevent people?
> Do the pro's of having properley implamented Reverse DNS far outway the
> aleged con's?
> Hopefully I will find these answeres in THE book, but what I need is peoples
> experiences with reverse dns and security but also anyy phrases you use on
> your bosses like "Your lack of preperation is not my emergency"

You document your concerns, then the blame is on them. Don't invest in the shares !

> Please help.

-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.