| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: derek at durski.net (derek@...ski.net) Subject: Re: Reverse dns Reverse DNS lookups are entirely optional; this option exists at the sole discretion of the DNS operators. Reference RFC1035, section 6.4 for specifics. In spite of numerous updates to this RFC since its release in 1987 (including an update that obsoleted the original protocol for inverse lookups), there does not seem to be a change that makes reverse lookups a requirement for DNS. My look through the documentation was cursory though; you may want to browse the RFC index compiled at http://rfc.net/rfc-index.html to see if any of the updates to 1035 have in fact mandated reverse lookups. All things considered, I would not disable it because of the two reasons you mentioned previously. In addition, spam blacklisting and any of the new antispam technology that may be implemented on the ISP level require reverse lookups in order to be utilized. If you believe reverse DNS is a security or performance issue for your DNS machines, perhaps a whitelist/blacklist could be implemented to filter out problem hosts. In many situations (even outside of computing), an accurate list of authorized personnel (or hosts) can alleviate 90% of the original problem while introducing a fraction of the issues caused by completing banning or disabling a particular function. That said, it may be advisable to disable reverse DNS lookups on your own servers and/or remove reverse DNS entries for some hosts on your network from the published DNS registry if there is no valuable reason for someone to obtain that information. This, of course, depends on the purpose of the machines; it would probably be extremely unwise to do this for email or secure web servers since those cases generally require reverse lookups. I didn't think reverse lookups were a problem with TCPdump. If this is the underlying problem that prompted the question about reverse DNS, you could either (a) patch TCPdump, or (b) configure your DNS machines to spit back dummy results when the actual response from your upstream DNS indicates there is no record. The dummy results should solve that particular problem (in addition to being easy to locate in the logfiles in case you're concerned with these unreversible hosts for some reason). ----- Derek Durski derek@...ski.net
Powered by blists - more mailing lists