Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] DNS question about DNSENUM.PL



--On Wednesday, March 27, 2013 3:00 AM +0000 "Edward Ned Harvey (blu)" 
<blu at nedharvey.com> wrote:

> Use weird names, like "securesrv7.company.com" instead of
> "vpn.company.com" and
> Eliminate reverse pointers

Which breaks all kinds of things. Like mail.

Never mind that users absolutely HATE names like that.

It's also counterproductive. Me the attacker does a reverse lookup of all 
the IP addresses in your domain. This takes at most 255 hits on your name 
servers. Me the attacker does an exhaustive search of all host names with 
one to twenty characters. This takes up... I'm not going to do the math but 
it's a lot more than 255 hits on your name servers.

Yes, it does make it a little more tedious for a script kiddie to map all 
of your public-facing servers, but it does so at the expense of a MASSIVE 
increase in traffic and load on your name servers.

I say let them have the names. They're going to find them anyway. Why make 
it hard on my own servers and network? I rely on perimeter IDPS and strong 
authentication to take care of keeping the unwanted out. Those work.

Security by obscurity is no security at all.

-- 
Rich P.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org