Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Pros & cons of a reverse lookup zone??

52 views
Skip to first unread message

dlran

unread,
May 16, 2002, 12:07:35 PM5/16/02
to
Hey everyone, what are the pros and cons of having a
reverse lookup zone on my windows 2000 Server network?

Ron Stewart

unread,
May 16, 2002, 3:21:12 PM5/16/02
to
Cons: can't think of any. Pros--nslookup, your chief DNS troubleshooting
tool, will work properly, as will apps and configuration options that
require reverse DNS lookup.

Basically, having a reverse lookup zone is considered a best practice.

--
Ron Stewart
B.Ed., MCSE+I, MCT
Senior Instructor/Consultant
triOS Training Centres
Mississauga, Ontario, Canada
(905) 542-7678
--

"dlran" <dl...@hotmail.com> wrote in message
news:44a901c1fcf3$cb01cd70$35ef2ecf@TKMSFTNGXA11...

dlran

unread,
May 17, 2002, 11:38:28 AM5/17/02
to
Thanks a million Ron.
>.
>

Laura A. Robinson

unread,
May 18, 2002, 3:40:33 PM5/18/02
to
circa Thu, 16 May 2002 15:21:12 -0400, in
microsoft.public.win2000.dns, Ron Stewart (ro...@trios.com.no.spam)
said,

> Cons: can't think of any. Pros--nslookup, your chief DNS troubleshooting
> tool, will work properly, as will apps and configuration options that
> require reverse DNS lookup.
>
> Basically, having a reverse lookup zone is considered a best practice.
>
Agreed, but with one caveat-

From a security perspective, controlling the machines to which a DNS
server will perform zone transfers is a very wise idea. This prevents
somebody attempting to characterize your environment from simply
performing an nslookup dump against your DNS server for your domain
(s). However, something that admins often overlook when they feel
they've secured a zone by refusing zone transfers is that reverse
lookup zones can help an attacker to get around this. I'll explain
what I mean:

In a penetration test that I was running for a client, they had
configured their DNS servers to refuse zone transfers except to each
other. When I ran an nslookup against a server, it refused to simply
list for me the names of all of the machines in the domain I queried.
This is good.

However, what I then did was to run an automated query to their DNS
server for each of the IPs in their IP block, requesting the names
for the IPs. These are, of course, hosted in reverse lookup zones.
Within ten minutes, I had all of the names and IPs for all of the
machines in *all* of their domains, and many of those machines were
named things such as "Oracle1", "SQLServ1", "CityDC1", etc. Since I
now knew what was running on the servers for each of the IPs, I had a
tremendous amount of information with which to work in furthering my
penetration testing.

So, my point is this- while reverse lookup zones *are* useful, you
should be aware of security implications in DNS. DNS is low-hanging
fruit for an attacker in most environments.

Laura
--
One man's mundane and boring existence is another man's Technicolor.
-Tick, Strange Days

dlran

unread,
May 20, 2002, 2:12:23 PM5/20/02
to
Thanks Laura
>.
>

dlran

unread,
May 20, 2002, 2:12:20 PM5/20/02
to
Thanks Laura
>.
>
0 new messages