Reverse Domain and Security Concern

Merton Campbell Crockett m.c.crockett at
Wed Oct 18 03:17:32 UTC 2006

On 17 Oct 2006, at 19:37 , April wrote:

> Mark Andrews wrote:
>>> As more DNS implementations make creating PTR records so easy, many
>>> organizations are creating a PTR record for each forward record,  
>>> would
>>> this be a security concern, as this is so convenient to map out a
>>> forward zone?
>> 	In general no.
> What do you mean "in general no"?
> You mean if this is a concern, it is an issue; otherwise, not?

It is not an issue or a problem although some of my security  
colleagues will disagree.

To ensure that you will not be denied access to resources available  
on the Internet, you should have a PTR record for each IP address  
that will be exposed to the Internet.  The domain name referenced in  
the PTR record should, also, exist.  If the A and PTR records are  
inconsistent or one or both are missing, you may be denied access.

Must the information in the A and PTR records exposed to the Internet  
match what is used on your organisation's Intranet?  No.

Regardless of what your security experts might say, it doesn't really  
matter wether or not you allow zone transfers.  With the network  
bandwidth that is currently available, one can just as easily use a  
diagnostic tool like nmap to scan your exposed IP addresses.  It will  
map the IP addresses, determine which services may be offered by each  
system, and perform the needed DNS queries.

Your intrusion detection system will most likely only catch the most  
blatant of these attempts unless it's correlating traffic over a  
period measured in months.

Merton Campbell Crockett
m.c.crockett at

More information about the bind-users mailing list