Reverse Domain and Security Concern
Merton Campbell Crockett
m.c.crockett at adelphia.net
Wed Oct 18 03:17:32 UTC 2006
On 17 Oct 2006, at 19:37 , April wrote:
>
> Mark Andrews wrote:
>>> As more DNS implementations make creating PTR records so easy, many
>>> organizations are creating a PTR record for each forward record,
>>> would
>>> this be a security concern, as this is so convenient to map out a
>>> forward zone?
>>
>> In general no.
>
> What do you mean "in general no"?
>
> You mean if this is a concern, it is an issue; otherwise, not?
It is not an issue or a problem although some of my security
colleagues will disagree.
To ensure that you will not be denied access to resources available
on the Internet, you should have a PTR record for each IP address
that will be exposed to the Internet. The domain name referenced in
the PTR record should, also, exist. If the A and PTR records are
inconsistent or one or both are missing, you may be denied access.
Must the information in the A and PTR records exposed to the Internet
match what is used on your organisation's Intranet? No.
Regardless of what your security experts might say, it doesn't really
matter wether or not you allow zone transfers. With the network
bandwidth that is currently available, one can just as easily use a
diagnostic tool like nmap to scan your exposed IP addresses. It will
map the IP addresses, determine which services may be offered by each
system, and perform the needed DNS queries.
Your intrusion detection system will most likely only catch the most
blatant of these attempts unless it's correlating traffic over a
period measured in months.
Merton Campbell Crockett
m.c.crockett at adelphia.net
More information about the bind-users
mailing list