Re: Reverse Domain and Security Concern - DNS

This is a discussion on Re: Reverse Domain and Security Concern - DNS ; April wrote: > As more DNS implementations make creating PTR records so easy, many > organizations are creating a PTR record for each forward record, would > this be a security concern, as this is so convenient to map out ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Reverse Domain and Security Concern

  1. Re: Reverse Domain and Security Concern

    April wrote:
    > As more DNS implementations make creating PTR records so easy, many
    > organizations are creating a PTR record for each forward record, would
    > this be a security concern, as this is so convenient to map out a
    > forward zone?
    >

    Well, if it's an address range that's exposed to untrusted networks, you
    shouldn't be relying on Security by Obscurity anyway to protect your
    sensitive assets; you should have stronger protection measures in place.

    Having said that, though, it seems to me (not being a Security expert),
    that the kind of "probing" or "scanning" activity that would be
    necessary to map out a forward zone using reverse lookups, would be
    something that any decent IDS (Intrustion Detection System) would pick
    up, unless it makes some sort of blanket exception for DNS transactions.

    Note that this parallels somewhat the debate about whether or not to
    allow open zone transfers. The more-paranoid Security folks (yeah,
    that's a relative term) generally want zone transfers restricted because
    it discloses too much information; when it's pointed out to them that
    the zone transfers don't include any data that isn't obtainable through
    regular queries anyway, they usually respond that the quantity of
    regular queries required to get the same information is usually
    detectable as probing/scanning, yet the IDS systems have no way of
    knowing whether occasional zone transfers are going to be used for
    benign or malicious purposes.


    - Kevin



  2. Re: Reverse Domain and Security Concern


    Kevin Darcy wrote:
    > April wrote:
    > > As more DNS implementations make creating PTR records so easy, many
    > > organizations are creating a PTR record for each forward record, would
    > > this be a security concern, as this is so convenient to map out a
    > > forward zone?
    > >

    > Well, if it's an address range that's exposed to untrusted networks, you
    > shouldn't be relying on Security by Obscurity anyway to protect your
    > sensitive assets; you should have stronger protection measures in place.
    >
    > Having said that, though, it seems to me (not being a Security expert),
    > that the kind of "probing" or "scanning" activity that would be
    > necessary to map out a forward zone using reverse lookups, would be
    > something that any decent IDS (Intrustion Detection System) would pick
    > up, unless it makes some sort of blanket exception for DNS transactions.
    >
    > Note that this parallels somewhat the debate about whether or not to
    > allow open zone transfers. The more-paranoid Security folks (yeah,
    > that's a relative term) generally want zone transfers restricted because
    > it discloses too much information; when it's pointed out to them that
    > the zone transfers don't include any data that isn't obtainable through
    > regular queries anyway, they usually respond that the quantity of
    > regular queries required to get the same information is usually
    > detectable as probing/scanning, yet the IDS systems have no way of
    > knowing whether occasional zone transfers are going to be used for
    > benign or malicious purposes.
    >
    >
    > - Kevin


    Thanks Kevin, it makes a lot of sense



+ Reply to Thread