[Discuss] DNS question about DNSENUM.PL

Matthew Gillen me at mattgillen.net
Wed Mar 27 08:27:32 EDT 2013


On 3/26/2013 12:13 PM, Chris O'Connell wrote:
> Hide is perhaps not the right word.  Obscure may be better.  A default
> DNSENUM will pull the aforementioned names and IP addresses.  I would like
> to make it so people must know what they're looking for.  Tom's description
> of "you can view the file if you know it's name, but you can't list the
> directory contents" is more or less exactly what I would like to do.

If you want to "hide" a host name from external DNS snooping, then you
should not put it in DNS at all, but rather configure the /etc/hosts
files on all your client machines that you want to know that "secret"
(yes, windows machines still have an /etc/hosts file).  Could be a
problem if you don't have administrative control over all clients
(although you could always write up a procedure if you trust your
end-users engouh...)

Honestly though, if you're going to do that, then you might want to
consider running your VPN server on the standard HTTPS port to obscure
that machine from port scans.

And if you were really paranoid, you would hide your VPN server from
port scans even better by using port-knocking.


Matt



More information about the Discuss mailing list