lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nocmonkey at gmail.com (Danny)
Subject: Reverse dns

On Thu, 10 Mar 2005 11:30:51 -0600, Paul Schmehl <pauls@...allas.edu> wrote:
> --On Thursday, March 10, 2005 10:39:38 AM -0600 Duo
> <duo@...italarcadia.net> wrote:
> >
> > Strictly speaking, this may or may not help you. It would help if you
> > would describe the scenario/situation you are in. I could comment
> > further, but without a bit more specific information, I dont feel I can
> > comment properly.
> >
> I'd prefer not to give details.  I'll give you this much.  We're having a
> philosophical disagreement about the value of disallowing reverse dns for
> hosts on our network.  

Internet/externally accessible IP devices, I believe, should be
configured with reverse DNS.
As for hosts on your LAN, they should not be accessible from the
Internet/external & untrusted networks, therefore, only you will know
what is best for your internal network.  For us, we use reverse DNS on
all of our hosts for proper Active Directory operation and basic
troubleshooting.

> It's the ancient security by obscurity discussion.

How does your security posture gain an advantage or decrease your risk
to attack if you were to disable reverse DNS?

> My concern is that we should not disable dns when (or if) it's required.

RFC's exist for a reason; go with your gut feeling and do not disable
RDNS where it is recommended.

> Obviously we would not disable it for the MX hosts, but I'm unclear what
> (if anything) the RFC requirements are.  Absent any requirements, there's
> not cogent argument for *not* doing it, with the aforementioned exceptions.

You cannot go wrong by following the recommendations (in addition to
the requirements) outlined by the related RFC's.
 
> Hopefully that clarifies it a bit.
> 
> Some questions that come to mind - what, if anything, is the consequence of
> disabling reverse lookups for your NS servers?  For web servers?  For other
> services?  For workstations?  Etc., etc.

Test and find out.

In the least, servers should have RDNS setup.  As for the rest of your
IP devices, it depends on your network - I don't know what you have
setup or what software you have installed that may require RDNS. Test
it and find out.

...D

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ