11-22-2017 05:37 AM
I was wondering if anyone had links oto documentation on the currnt best practices for publishign external PTR records? Or just opinions on what they consider best practices.
I've tended to take the view that one should publishign matching A/PTR records for things connecting to external resources. However to avoid making it too easy for people with less than friendly intentions to map my internal structure (e.g. by identifying probabyl data centers by clusters of PTR records ), I've prefered to publish very generic bulk records so that our entire public address space looks the same.
I can't really find anythign to back up this approach, so was wondering what other peopekl were doing or if there's any documentation out there that addresses this that I've missed?
11-27-2017 01:21 PM
RFC 1912 specifies:
- Every Internet-reachable host should have a name
- For every IP address, there should be a matching PTR record in the in-addr.arpa domain.
Your external DNS data is publicly retrievable, and security through obfuscation is known not to work. If you do not want people with "less than friendly" intentions to figure out your organization's structure, then you need to do so before publishing that data in your zones.
"unsecureddatabaseserver.indatacenter.example.com" is a lot worse than "server5477.subzone2.example.com"
The bulk host approach is one way of making data more obfuscated. However, in the end, gathering DNS data is one of the earliest steps during reconnaissance and figuring out which networks and zones map to what locations is trivial even when the data is obfuscated.
One way Infoblox could protect you here is through the Advanced DNS Protection solution which allows you to rate limit and block IPs that are performing an enumeration or dictionary attack on your DNS servers.