Reverse Domain and Security Concern
Kevin Darcy
kcd at daimlerchrysler.com
Wed Oct 18 02:33:26 UTC 2006
April wrote:
> As more DNS implementations make creating PTR records so easy, many
> organizations are creating a PTR record for each forward record, would
> this be a security concern, as this is so convenient to map out a
> forward zone?
>
Well, if it's an address range that's exposed to untrusted networks, you
shouldn't be relying on Security by Obscurity anyway to protect your
sensitive assets; you should have stronger protection measures in place.
Having said that, though, it seems to me (not being a Security expert),
that the kind of "probing" or "scanning" activity that would be
necessary to map out a forward zone using reverse lookups, would be
something that any decent IDS (Intrustion Detection System) would pick
up, unless it makes some sort of blanket exception for DNS transactions.
Note that this parallels somewhat the debate about whether or not to
allow open zone transfers. The more-paranoid Security folks (yeah,
that's a relative term) generally want zone transfers restricted because
it discloses too much information; when it's pointed out to them that
the zone transfers don't include any data that isn't obtainable through
regular queries anyway, they usually respond that the quantity of
regular queries required to get the same information is usually
detectable as probing/scanning, yet the IDS systems have no way of
knowing whether occasional zone transfers are going to be used for
benign or malicious purposes.
- Kevin
More information about the bind-users
mailing list