|
|
| Williamd000 2003-03-25, 1:50 pm |
| What funcionality should be disallowed between a DNS server and untrusted node?
1- name resolutions
2- reverse ARP requests
3- system name resolutions
4- zone transfers
I think its 4 but im trying to look for a good reference why would that be the correct answer thanks | |
|
| I have a question my friend ...
Where are you gettign these questions from? If it is from some kind of study reference it will be covered there. | |
| Williamd000 2003-03-25, 2:41 pm |
| Hi its not from a study guide. Its from a book I have and I believe that they are wrong and im trying to get a reference on this question. thanks | |
|
| 'k
What is the book? I have read a few and find there is a lot of debate on some ideas. I think it possibly comes from that particular author having come across a particular attack that is not necessarily common.
I would go for 2 - reverse ARP requests. | |
| 117wik 2003-03-26, 6:12 pm |
| i will go for 4.
What's wrong with reverse ARP request?? i can understand why we should't allow others to do zone transfer. | |
|
| << kicks self in butt !!
I was having a verbal when I replied and didnt realise I hadn't finished 
I would go for 2 Reverse ARP - Reverse ARPing is used when spoofing in many cases.
The zone transfers is a security thing, but in my opinion is not the answer for this question as we are dealing with DNS.
type Reverse ARP into google and you will find many hacker pages discussing this. | |
| 117wik 2003-03-27, 12:11 am |
| that still doesn't convince me. from my understanding RARP is used to resolve a MAC back to IP. Normally the IP of a DNS server is already known anwyay so i don't see anything wrong with RARP request to a DNS.
If you allows untrusted PC to do DNS zone transfer then you will be giving out all sort of info to others (eg name and IP of your file server etc).
am i right or wrong??
btw i have only started reading books for security+ for 2 days so may be i do't knwo enough yet... :P | |
|
| partially right - the answer does not say DNS zone transfer so it could just be a security zone.
As I said - if you search reverse ARP in google you will learn heaps. | |
|
|
| chodan 2003-04-09, 7:53 pm |
| Its 4
You can definately get into trouble without locking zone transfers into only trusted servers.
If you've ever dealt with BIND then you will definately see the advantages of using windows 2000 DNS for internet name resolution.
We made the switch last year "I did it mainly to make life easier for our more junior techs" when we did I noticed that it is much easier to keep up with security updates with windows 2000 than it is to keep up with the almost weekly cert_advisories of BIND buffer overflow vulnerabilities.
For DNS security and rock solid reliability in DNS its hard to beat windows 2000. | |
| Hacker 2003-04-10, 7:07 pm |
| Definitely zone transfers. DNS is all about maintaining zone convergence and in a DMZ, if you have an external DNS and an internal DNS, you do *NOT* EVER want the external DNS to get info of the internal DNS. If you know the DNS records, you pretty much know everything about a network: IP addresses, names, services (SRV records), etc.
ARP has to do with switches (ARP route posioning), and nothing to do with DNS. |
|
|
|