On Wed, 2 Feb 2000, Patrick Greenwell wrote:
Sure. Esp. for blackhats. Which makes the more "attactive" target;
db.accounting.bigcorp.com foozlebutt.bigcorp.com
Do we need to re-visit the "security through obscurity" argument here?
I think some level of obscurity is needed when it comes to DNS names. Think about how many people still include things like HINFO, WKS, AFSDB, X25, ISDN, and RT records in their zone files. It's a lot less common than it used to be, though I come across them every so often. The idea is that by obscuring some areas of information via certain services, it will be easier to catch Cracker X via an IDS, firewall, etc. when he/she has to use alternate means to get the information he/she wants. Example: Company A has a big bad firewall and IDS setup that they paid a lot of money for to stop people from trying to mount attacks into their soft, chewy corporate network, full of confidential information and R&D boxes. So, they can do such neat things as detect portscans and block incoming traffic from the offending host and other such things in an effort to help keep information about their network a secret. Not a bad thing, really, though the ability for network security hardware to make decisions on it's own still makes me a bit uneasy, but that's getting off on a tangent. So, they've got this great setup, but they've been kind enough to provide you with WKS and HINFO records and the ability to transfer their entire zone file(s). Then you've got an instant list of servers and what OS/services they are running without ever using nmap/strobe, making all that money invested in the firewall and IDS somewhat of a waste. It's certainly self-defeating. I've found large companies who seem to have a SysAdmin group handling all the servers/services (DNS) and a Networking group handling the firewalls and IDS don't seem to communicate very well. It comes down to a case of the right hand not knowing exactly what the left is doing, and it's detrimental to the security posture of any company. But, in some cases this can work to your advantage. You can name a honeypot machine customerbillingdb.company.com with HINFO of something really exploitable like RedHat 5.1 or an old Solaris version and see what kind of things happen. Wow, pseudo-operational content about the effectiveness of hostnames. -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."