[Full-disclosure] Reverse dns
duo at digitalarcadia.net
Thu Mar 10 19:08:50 GMT 2005
On Thu, 10 Mar 2005, Paul Schmehl wrote:
> --On Thursday, March 10, 2005 10:39:38 AM -0600 Duo <duo at digitalarcadia.net>
>> Strictly speaking, this may or may not help you. It would help if you
>> would describe the scenario/situation you are in. I could comment
>> further, but without a bit more specific information, I dont feel I can
>> comment properly.
> I'd prefer not to give details. I'll give you this much. We're having a
> philosophical disagreement about the value of disallowing reverse dns for
> hosts on our network. It's the ancient security by obscurity discussion.
Ahhhh a religious conflict. =)
> My concern is that we should not disable dns when (or if) it's required.
> Obviously we would not disable it for the MX hosts, but I'm unclear what (if
> anything) the RFC requirements are. Absent any requirements, there's not
> cogent argument for *not* doing it, with the aforementioned exceptions.
Well, FWIW, I leave reverse on DNS for everything. Especially also for
apache. Frequently, I get bots that ignore/bypass robots.txt, in search of
rich fields to harvest. I have noticed that alot of them like to play
little DNS games. Having the resolver work already done, if possible, is
beneficial, as far as im concerned.
I can't honestly see a reason *why* you would want to turn off reverse
lookups. I agree with the other responses, its a best practice, and should
be adhered to, unless there is a very good and specific reason not to. One
such reason off the top of my head, generally speaking, is if a condition
could occur where a resolver is forced into some kind of DoS attack, or
some set of criteria exists that could lock things. But, these things are
rare, and, typically fixed quickly on the UNIX side.
On the windows side, well, considering it just came out that the LAND
attack is still feasable on XP, after all these years...and you get the
> Hopefully that clarifies it a bit.
A little. =)
> Some questions that come to mind - what, if anything, is the consequence of
> disabling reverse lookups for your NS servers? For web servers? For other
> services? For workstations? Etc., etc.
Well, the first thing that comes to my mind is log completeness. Even if
reverse lookup fails, a log record, and maybe some evidence as to why it
failed, can be useful. This can be especially important with mail and web
Full-Disclosure is hosted and sponsored by Secunia.