On 21/09/10 14:43, Niobos wrote:
On 2010-09-21 15:32, Kalman Feher wrote:
On 21/09/10 8:43 AM, "Niobos"<nio...@dest-unreach.be> wrote:
I personally find protection against zone enumeration to be a false sense of
security. If it's public people will find it. Ask your self what it is that
you want publically accessible yet you don't want others to be aware of.
I'll reply with a quote from the BIND& DNS book:
It’s the difference between letting random folks call your company’s
switchboard and ask for John Q. Cubicle’s phone number [versus] sending
them a copy of your corporate phone directory.
That is a poor analogy.
Do you have reverse DNS in .in-addr.arpa?
Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it
doesn't take very long for us, and we've got a lot of large subnets.
Attackers can gain a lot of info from this; certainly not *all* forward
lookups, but a lot of them. Pretending that stopping zone enumeration is
much of a security boost is just that IMHO - pretending.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
