[Discuss] DNS question about DNSENUM.PL
Rich Pieri
richard.pieri at gmail.com
Wed Mar 27 10:12:28 EDT 2013
--On Wednesday, March 27, 2013 3:00 AM +0000 "Edward Ned Harvey (blu)"
<blu at nedharvey.com> wrote:
> Use weird names, like "securesrv7.company.com" instead of
> "vpn.company.com" and
> Eliminate reverse pointers
Which breaks all kinds of things. Like mail.
Never mind that users absolutely HATE names like that.
It's also counterproductive. Me the attacker does a reverse lookup of all
the IP addresses in your domain. This takes at most 255 hits on your name
servers. Me the attacker does an exhaustive search of all host names with
one to twenty characters. This takes up... I'm not going to do the math but
it's a lot more than 255 hits on your name servers.
Yes, it does make it a little more tedious for a script kiddie to map all
of your public-facing servers, but it does so at the expense of a MASSIVE
increase in traffic and load on your name servers.
I say let them have the names. They're going to find them anyway. Why make
it hard on my own servers and network? I rely on perimeter IDPS and strong
authentication to take care of keeping the unwanted out. Those work.
Security by obscurity is no security at all.
--
Rich P.
More information about the Discuss
mailing list