Joey Kelly wrote:
> On Thursday February 2 2006 13:50, John Kosta spake:
>
> Hi, John!
Hi Joey!
>
> Um, well, if you put private IP information on a publicly-addressable DNS
> server, nothing will stop some l33t cr4ck3r from doing a zone transfer and
> mapping out which company hosts he wants to launch exploits at, a-la the
> techniques described in the "Hacking Exposed" books, unless you control the
> DNS server yourself and take steps to limit who gets to see what.
>
My thinking on this was, that if these are not publicly routeable IP
addresses (the hackers have no route to my boxes) it doesn't matter if
they know the name or IP address. So what if they want to go to my
Baton Rouge video system at 10.20.12.101 ? They can't get there because
that route only exists for my clients connected to my networks. Since I
don't let that traffic in the firewall, you would already have to be in
the system to make use of the information.
It does make me a little uneasy though, to think that someone could do a
zone transfer and get all the machine names -- but I'm not sure it would
do them any good. Couldn't they do that anyway, if they hacked into
my systems from outside? Either way, they still have to find a way in.
But, maybe I am creating too much temptation? Or missing something?
> I would run DNS in New Orleans and in one other office, and point all
clients
> at those two servers exclusively. That way even if your T-1 in New
Orleans
> goes down, every other office still has in-house DNS.
Unfortunately, our offices aren't fully meshed. So (for instance), if
Shreveport can't get to New Orleans via the T1, they can't get to Baton
Rouge via the T1 either (traffic has to go through New Orleans on the
private T1s). So both DNS servers would be offline for them, unless I
open one up to the "internet" and allow access that way. I could guess
what offices might be down, and put DNS servers there, but obviously
that wouldn't work very well.
> Assuming your in-house domain is leetcompany.com (this can be a real domain or
> a completely bogus one that only your company boxes know about, which is even
> better), populate your zonefile with all the internal private IP addresses.
> This should work the way you want, from the client machines' point of view.
>
> I suppose you could use granitecanyon.com for backup DNS if you don't have the
> ability to run DNS at a satellite office, and I think they won't mind you
> loading zones for non-existent domains (we used to do this for OpenNIC
> domains, with .geek and other TLDs), so long as the file you send them parses
> correctly. If you do that, you'll have to check their server periodically
> because they run a script every so often to clean out stale or bogus info. If
> you're hard-pressed, I'm willing to run secondary DNS for you if you like.
Well, I'm jut trying to figure out a universal, long-term solution to
this issue so I can point all my clients somewhere, and then just worry
that the files are replicating, updating or whatever they have to do.
___________________
Nolug mailing list
nolug@nolug.org
Received on 02/02/06
This archive was generated by hypermail 2.2.0 : 12/19/08 EST