Re: Reverse Domain and Security Concern - DNS

This is a discussion on Re: Reverse Domain and Security Concern - DNS ; > As more DNS implementations make creating PTR records so easy, many > organizations are creating a PTR record for each forward record, would > this be a security concern, as this is so convenient to map out a > ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: Reverse Domain and Security Concern

  1. Re: Reverse Domain and Security Concern


    > As more DNS implementations make creating PTR records so easy, many
    > organizations are creating a PTR record for each forward record, would
    > this be a security concern, as this is so convenient to map out a
    > forward zone?


    In general no.

    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org



  2. Re: Reverse Domain and Security Concern


    Mark Andrews wrote:
    > > As more DNS implementations make creating PTR records so easy, many
    > > organizations are creating a PTR record for each forward record, would
    > > this be a security concern, as this is so convenient to map out a
    > > forward zone?

    >
    > In general no.
    >
    > --
    > Mark Andrews, ISC
    > 1 Seymour St., Dundas Valley, NSW 2117, Australia
    > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org


    What do you mean "in general no"?

    You mean if this is a concern, it is an issue; otherwise, not?



  3. Re: Reverse Domain and Security Concern


    On 17 Oct 2006, at 19:37 , April wrote:

    >
    > Mark Andrews wrote:
    >>> As more DNS implementations make creating PTR records so easy, many
    >>> organizations are creating a PTR record for each forward record,
    >>> would
    >>> this be a security concern, as this is so convenient to map out a
    >>> forward zone?

    >>
    >> In general no.

    >
    > What do you mean "in general no"?
    >
    > You mean if this is a concern, it is an issue; otherwise, not?


    It is not an issue or a problem although some of my security
    colleagues will disagree.

    To ensure that you will not be denied access to resources available
    on the Internet, you should have a PTR record for each IP address
    that will be exposed to the Internet. The domain name referenced in
    the PTR record should, also, exist. If the A and PTR records are
    inconsistent or one or both are missing, you may be denied access.

    Must the information in the A and PTR records exposed to the Internet
    match what is used on your organisation's Intranet? No.

    Regardless of what your security experts might say, it doesn't really
    matter wether or not you allow zone transfers. With the network
    bandwidth that is currently available, one can just as easily use a
    diagnostic tool like nmap to scan your exposed IP addresses. It will
    map the IP addresses, determine which services may be offered by each
    system, and perform the needed DNS queries.

    Your intrusion detection system will most likely only catch the most
    blatant of these attempts unless it's correlating traffic over a
    period measured in months.

    Merton Campbell Crockett
    m.c.crockett@adelphia.net





+ Reply to Thread