On 2010-09-21 16:56, Phil Mayers wrote:
> On 21/09/10 14:43, Niobos wrote:
>> On 2010-09-21 15:32, Kalman Feher wrote:
>>> On 21/09/10 8:43 AM, "Niobos"<nio...@dest-unreach.be>  wrote:
>>> I personally find protection against zone enumeration to be a false
>>> sense of
>>> security. If it's public people will find it. Ask your self what it
>>> is that
>>> you want publically accessible yet you don't want others to be aware of.
>> I'll reply with a quote from the BIND&  DNS book:
>> It’s the difference between letting random folks call your company’s
>> switchboard and ask for John Q. Cubicle’s phone number [versus] sending
>> them a copy of your corporate phone directory.
> That is a poor analogy.
> Do you have reverse DNS in .in-addr.arpa?

> Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it
> doesn't take very long for us, and we've got a lot of large subnets.
A few seconds

> Attackers can gain a lot of info from this;

> certainly not *all* forward
> lookups, but a lot of them.
My zone consists of mostly CNAMEs that map vhosts to physical hosts; you
won't find these with .in-addr.arpa.


bind-users mailing list

Reply via email to