Reverse Domain and Security Concern

Kevin Darcy kcd at
Wed Oct 18 02:33:26 UTC 2006

April wrote:
> As more DNS implementations make creating PTR records so easy, many
> organizations are creating a PTR record for each forward record, would
> this be a security concern, as this is so convenient to map out a
> forward zone?
Well, if it's an address range that's exposed to untrusted networks, you 
shouldn't be relying on Security by Obscurity anyway to protect your 
sensitive assets; you should have stronger protection measures in place.

Having said that, though, it seems to me (not being a Security expert), 
that the kind of "probing" or "scanning" activity that would be 
necessary to map out a forward zone using reverse lookups, would be 
something that any decent IDS (Intrustion Detection System) would pick 
up, unless it makes some sort of blanket exception for DNS transactions.

Note that this parallels somewhat the debate about whether or not to 
allow open zone transfers. The more-paranoid Security folks (yeah, 
that's a relative term) generally want zone transfers restricted because 
it discloses too much information; when it's pointed out to them that 
the zone transfers don't include any data that isn't obtainable through 
regular queries anyway, they usually respond that the quantity of 
regular queries required to get the same information is usually 
detectable as probing/scanning, yet the IDS systems have no way of 
knowing whether occasional zone transfers are going to be used for 
benign or malicious purposes.

            - Kevin

More information about the bind-users mailing list