lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.OSX.4.61.0503101259350.1462@valkyrie.local>
From: duo at digitalarcadia.net (Duo)
Subject: Reverse dns

On Thu, 10 Mar 2005, Paul Schmehl wrote:

> --On Thursday, March 10, 2005 10:39:38 AM -0600 Duo <duo@...italarcadia.net> 
> wrote:
>> 
>> Strictly speaking, this may or may not help you. It would help if you
>> would describe the scenario/situation you are in. I could comment
>> further, but without a bit more specific information, I dont feel I can
>> comment properly.
>> 
> I'd prefer not to give details.  I'll give you this much.  We're having a 
> philosophical disagreement about the value of disallowing reverse dns for 
> hosts on our network.  It's the ancient security by obscurity discussion.

Ahhhh a religious conflict. =)

> My concern is that we should not disable dns when (or if) it's required. 
> Obviously we would not disable it for the MX hosts, but I'm unclear what (if 
> anything) the RFC requirements are.  Absent any requirements, there's not 
> cogent argument for *not* doing it, with the aforementioned exceptions.

Well, FWIW, I leave reverse on DNS for everything. Especially also for 
apache. Frequently, I get bots that ignore/bypass robots.txt, in search of 
rich fields to harvest. I have noticed that alot of them like to play 
little DNS games. Having the resolver work already done, if possible, is 
beneficial, as far as im concerned.


I can't honestly see a reason *why* you would want to turn off reverse 
lookups. I agree with the other responses, its a best practice, and should 
be adhered to, unless there is a very good and specific reason not to. One 
such reason off the top of my head, generally speaking, is if a condition 
could occur where a resolver is forced into some kind of DoS attack, or 
some set of criteria exists that could lock things. But, these things are 
rare, and, typically fixed quickly on the UNIX side.

On the windows side, well, considering it just came out that the LAND 
attack is still feasable on XP, after all these years...and you get the 
idea.

> Hopefully that clarifies it a bit.

A little. =)

> Some questions that come to mind - what, if anything, is the consequence of 
> disabling reverse lookups for your NS servers?  For web servers?  For other 
> services?  For workstations?  Etc., etc.

Well, the first thing that comes to my mind is log completeness. Even if 
reverse lookup fails, a log record, and maybe some evidence as to why it 
failed, can be useful. This can be especially important with mail and web 
servers.

-- 
Duo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ