On 2010-09-21 16:56, Phil Mayers wrote: > On 21/09/10 14:43, Niobos wrote: >> On 2010-09-21 15:32, Kalman Feher wrote: >>> On 21/09/10 8:43 AM, "Niobos"<nio...@dest-unreach.be> wrote: >>> I personally find protection against zone enumeration to be a false >>> sense of >>> security. If it's public people will find it. Ask your self what it >>> is that >>> you want publically accessible yet you don't want others to be aware of. >> I'll reply with a quote from the BIND& DNS book: >> It’s the difference between letting random folks call your company’s >> switchboard and ask for John Q. Cubicle’s phone number [versus] sending >> them a copy of your corporate phone directory. > > That is a poor analogy. > > Do you have reverse DNS in .in-addr.arpa? Yes
> Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it > doesn't take very long for us, and we've got a lot of large subnets. A few seconds > Attackers can gain a lot of info from this; Correct > certainly not *all* forward > lookups, but a lot of them. My zone consists of mostly CNAMEs that map vhosts to physical hosts; you won't find these with .in-addr.arpa. Greetings, Niobos _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
