To:
Dean Anderson <dean@av8.com>
cc:
Pekka Savola <pekkas@netcore.fi>, Robert Elz <kre@munnari.OZ.AU>, Kenneth Porter <shiva@sewingwitch.com>, <dnsop@cafax.se>
From:
Edward Warnicke <eaw@cisco.com>
Date:
Fri, 28 Feb 2003 16:38:16 -0500 (EST)
In-Reply-To:
<Pine.LNX.4.44.0302281243560.12483-100000@commander.av8.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Request for review of DNS related draft
True, if directed broadcasts for a network implementing this draft have not been disabled, but no more so than any information about the structure of the network would help a smurfer. So it does reduce security through obscurity by reducing obscurity. However, if an organization is concerned they can limit which zones/domainnames they expose to the outside world. I would expect it to be handled in the same way that organization handle the question of which A records they choose to make visible to the internet ( split DNS, bind9 views, etc ). Would folks feel better about this if I were to put a paragraph in the "security considerations" section noting that availability to the outside world of information about the network structure of a network may be used for DOS attacks like smurphing, and recommending that organizations consider carefully the acceptable visibility of such records? Ed On Fri, 28 Feb 2003, Dean Anderson wrote: > Not to mention that it would be quite useful to smurfers. > > --Dean > > On Fri, 28 Feb 2003, Pekka Savola wrote: > > > On Fri, 28 Feb 2003, Robert Elz wrote: > > [...] > > > Why would my nodes care what the network that contains some random IP > > > address might happen to be (or why would I ever care more than the > > > routing tables will tell me) ? > > > > Being able to do something like this would have quite a few security > > considerations, besides -- in addition to operational reluctance to take > > it to use. > > > > Finding your *own* info could be useful, but you really need most of that > > information before you can make the DNS query.. > > > > -- > > Pekka Savola "You each name yourselves king, yet the > > Netcore Oy kingdom bleeds." > > Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings > > > > #---------------------------------------------------------------------- > > # To unsubscribe, send a message to <dnsop-request@cafax.se>. > > > > #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.