lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: madduck at madduck.net (martin f krafft)
Subject: Re: rfc1918 space dns requests

also sprach Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> [2004.03.16.1812 +0100]:
> 2) We've got applications making DNS requests that get forwarded
> out to the ISP's servers, where they will almost certainly result
> in either an error reply or a timeout  Find ways to use this to
> your advantage.

I would be interested in how you do that.

> 3) Despite the slowness and/or brokenness of (2), the site admins
> haven't fixed the misconfiguration.  This means they are some
> combination of clueless and/or lazy, and this is
> a tolerated/accepted state of affairs.  Find ways to use this to
> your advantage. ;)

For ease of maintenance, I have my primary DNS respond with RFC 1918
addresses for my internal machines. That is, my internal machines
are resolved by a primary DNS server out there on the 'Net, e.g.
sky.madduck.net. I fail to see how this can be a security problem.
I am disclosing information, but so it be. If you ask nicely, I'll
give you my net topology and firewall ruleset on a platter and you
still won't hack me.

I agree that RFC 1918 slipping out by accident could be an
indication of problems in the network, drawing hackers attention
rightfully so. However, publishing RFC 1918 addresses of the
internal network via DNS is not a security problem per se.

Then again, I would be happy to be proven wrong.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@...duck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
"in any hierarchy, each individual rises
 to his own level of incompetence,
 and then remains there."
                               -- murphy (after dr. laurence j. peter)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040316/9188f920/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ