Secondary and TLD not updating
Jefferson Ogata
bind-users at antibozo.net
Mon Nov 17 22:58:11 UTC 2008
On 2008-11-17 22:20, Res wrote:
> On Mon, 17 Nov 2008, Jefferson Ogata wrote:
>> On 2008-11-17 14:25, Holger Honert wrote:
>>> Chris Thompson schrieb:
>>>> On Nov 17 2008, Res wrote:
>>>>> Ack! allow-transfer should never be any
>>>>
>>>> What, never? Why not?
>>>>
>>> Security issue! You really want everyone to download your zone(s)?
>>
>> I couldn't care less. If the security of my systems were the least bit
>> dependent on keeping DNS records secret, I would kinda suck as an admin,
>> wouldn't I?
>
> does your employer know this is your attitude? he/she might take a
> different stand :) I know you'd no longer be working for me, if that was
> your take on how things should be.
Nor would I want to, if that would mean working for someone who puts
purportedly private information in the public DNS. :^)
DNS information crosses the Internet in the clear. There is no privacy
in the DNS. Unless you are doing your zone transfers over a private
network, there is always the potential for eavesdropping. Nor is there
protection against dictionary-based enumeration. It's a directory, after
all, by design.
Hostnames are revealed in myriad other ways, as well. For example, I
hope it's not supposed to be a secret that you are working on a host
called "roswell" with internal IP address 192.168.0.150. It certainly
shouldn't help a potential attacker to know that, if you are doing
things correctly. If knowing every hostname and IP address in your
network makes it easier for someone to compromise your enterprise, you
have some tedious spadework ahead of you.
It's very simple. If you don't want to reveal information in DNS, don't
put it in public zones.
To the rest of the list: point made. I won't belabor it any further.
--
Jefferson Ogata : Internetworker, Antibozo
More information about the bind-users
mailing list