Reverse Domain and Security Concern

April xiaoxia2005a at
Wed Oct 18 03:07:05 UTC 2006

Kevin Darcy wrote:
> April wrote:
> > As more DNS implementations make creating PTR records so easy, many
> > organizations are creating a PTR record for each forward record, would
> > this be a security concern, as this is so convenient to map out a
> > forward zone?
> >
> Well, if it's an address range that's exposed to untrusted networks, you
> shouldn't be relying on Security by Obscurity anyway to protect your
> sensitive assets; you should have stronger protection measures in place.
> Having said that, though, it seems to me (not being a Security expert),
> that the kind of "probing" or "scanning" activity that would be
> necessary to map out a forward zone using reverse lookups, would be
> something that any decent IDS (Intrustion Detection System) would pick
> up, unless it makes some sort of blanket exception for DNS transactions.
> Note that this parallels somewhat the debate about whether or not to
> allow open zone transfers. The more-paranoid Security folks (yeah,
> that's a relative term) generally want zone transfers restricted because
> it discloses too much information; when it's pointed out to them that
> the zone transfers don't include any data that isn't obtainable through
> regular queries anyway, they usually respond that the quantity of
> regular queries required to get the same information is usually
> detectable as probing/scanning, yet the IDS systems have no way of
> knowing whether occasional zone transfers are going to be used for
> benign or malicious purposes.
>             - Kevin

Thanks Kevin, it makes a lot of sense

More information about the bind-users mailing list