 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Rich Pieri wrote: >> Hide is perhaps not the right word. Obscure may be better. A default >> DNSENUM will pull the aforementioned names and IP addresses. I would >> like to make it so people must know what they're looking for. > > DNS doesn't work that way. It's misleading when you say that and don't elaborate, but fortunately you elaborated some in another message... > DNSENUM doesn't have to brute force some names because it gets them > via reverse lookups on the IP address ranges it determines are part > of the target domain or subdomain. Ah, so you're saying it *does* work that way, providing you don't create PTR records and you choose host names that aren't going to be found in a dictionary attack. Derek Martin wrote: > ...except by hosting two different views of your DNS, one public, and > one internal. That can be done using two different DNS servers... Sure, but a split-horizon DNS setup isn't applicable here as the OP implied by using the name "vpn.blah.org" that the name needs to work from outside his LAN. In the original message Chris O'Connell wrote: > I know I have VPN.blah.org...yet it doesn't show up in a regular > DNSENUM scan. Chris O'Connell wrote: > ...I would like to hide these (especially ones > like remote.blah.org and vpn.blah.org... OK, so they're already partially hidden, as Dnsenum can't find them through its more basic techniques. To hide them further requires understanding how Dnsenum is finding them and disrupting that mechanism. If you want to foul the reverse lookup, get rid of the PTR records for those IPs. Generally, you won't miss out on anything by doing this. Traceroutes and log reports will show an IP instead of the name. (Theoretically you could fix this inside your LAN with a split-horizon DNS setup.) (There are some misguided anti-spam filters that will reject your connection if it doesn't see a PTR record that matches the forward lookup, but irrelevant for a VPN server.) (Disclaimer: it's conceivable that some proprietary VPN servers might be impacted by a lack of PTR record (say, security checks in the client). You'll have to investigate/test that.) If you want to foul the dictionary lookup, choose a name that won't be in the dictionary. Using something like vpn2013 might be enough to do the job. Appending a string of random characters would be better, but it obviously defeats the purpose of using a name in the first place. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
