[Discuss] DNS question about DNSENUM.PL

Rich Pieri richard.pieri at gmail.com
Wed Mar 27 10:12:28 EDT 2013


--On Wednesday, March 27, 2013 3:00 AM +0000 "Edward Ned Harvey (blu)" 
<blu at nedharvey.com> wrote:

> Use weird names, like "securesrv7.company.com" instead of
> "vpn.company.com" and
> Eliminate reverse pointers

Which breaks all kinds of things. Like mail.

Never mind that users absolutely HATE names like that.

It's also counterproductive. Me the attacker does a reverse lookup of all 
the IP addresses in your domain. This takes at most 255 hits on your name 
servers. Me the attacker does an exhaustive search of all host names with 
one to twenty characters. This takes up... I'm not going to do the math but 
it's a lot more than 255 hits on your name servers.

Yes, it does make it a little more tedious for a script kiddie to map all 
of your public-facing servers, but it does so at the expense of a MASSIVE 
increase in traffic and load on your name servers.

I say let them have the names. They're going to find them anyway. Why make 
it hard on my own servers and network? I rely on perimeter IDPS and strong 
authentication to take care of keeping the unwanted out. Those work.

Security by obscurity is no security at all.

-- 
Rich P.



More information about the Discuss mailing list