[Discuss] DNS question about DNSENUM.PL

Tom Metro tmetro+blu at gmail.com
Tue Mar 26 16:07:40 EDT 2013


Rich Pieri wrote:
>> Hide is perhaps not the right word.  Obscure may be better.  A default
>> DNSENUM will pull the aforementioned names and IP addresses.  I would
>> like to make it so people must know what they're looking for.
> 
> DNS doesn't work that way.

It's misleading when you say that and don't elaborate, but fortunately
you elaborated some in another message...


> DNSENUM doesn't have to brute force some names because it gets them
> via reverse lookups on the IP address ranges it determines are part
> of the target domain or subdomain.

Ah, so you're saying it *does* work that way, providing you don't create
PTR records and you choose host names that aren't going to be found in a
dictionary attack.


Derek Martin wrote:
> ...except by hosting two different views of your DNS, one public, and
> one internal.  That can be done using two different DNS servers...

Sure, but a split-horizon DNS setup isn't applicable here as the OP
implied by using the name "vpn.blah.org" that the name needs to work
from outside his LAN.


In the original message Chris O'Connell wrote:
> I know I have VPN.blah.org...yet it doesn't show up in a regular
> DNSENUM scan.

Chris O'Connell wrote:
> ...I would like to hide these (especially ones
> like remote.blah.org and vpn.blah.org...

OK, so they're already partially hidden, as Dnsenum can't find them
through its more basic techniques. To hide them further requires
understanding how Dnsenum is finding them and disrupting that mechanism.

If you want to foul the reverse lookup, get rid of the PTR records for
those IPs. Generally, you won't miss out on anything by doing this.
Traceroutes and log reports will show an IP instead of the name.
(Theoretically you could fix this inside your LAN with a split-horizon
DNS setup.) (There are some misguided anti-spam filters that will reject
your connection if it doesn't see a PTR record that matches the forward
lookup, but irrelevant for a VPN server.) (Disclaimer: it's conceivable
that some proprietary VPN servers might be impacted by a lack of PTR
record (say, security checks in the client). You'll have to
investigate/test that.)

If you want to foul the dictionary lookup, choose a name that won't be
in the dictionary. Using something like vpn2013 might be enough to do
the job. Appending a string of random characters would be better, but it
obviously defeats the purpose of using a name in the first place.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



More information about the Discuss mailing list