Reto Lichtensteiger <rali @
# Hello all ...
# I have been considering this one for a while & the "I hate DNS" thread
# prompts me to ask for clarification ...
# What is, indeed, the usefulness of hiding "inside" names via a split
# I can see that it might hinder a "bad guy" if there was *no* way to
# determine the inside net ID, but in a majority of cases the inside net is
# known ...
Let me hopefully cut short the religious war that seems to start every
time we discuss this topic...
Some sites believe that host names and other internal DNS data should
be treated as "confidential" data, much like their internal company
The case for hiding things like HINFO records is clear: while these
are very useful for sysadmins (they tell them what kind of machine it
is and what OS it's running), they're also very useful for crackers
(they tell them what kind of machine it is and what OS it's running
The case for hiding other things, like A records, is less clear and
varies by site. At some sites, the hostnames reflect the hardware
type. At some sites, hosts are named after projects, and you can
determine things like how big a project is by seeing how many hosts
are assigned to it. At some sites, hosts are named something
offensive that's funny to insiders, but that management doesn't want
leaking out to the general public. At some sites, they just want to
hide the host names on general principles.
Let's not beat this into the ground again; this horse has already been
beaten to death, buried, dug up, beaten again, and buried again
several times. If you really want to see the past discussion, see the
Firewalls archives (ftp://ftp.greatcircle.com/pub/firewalls) or WAIS
database (host wais.greatcircle.com, database firewalls-digest).
Brent Chapman | Great Circle Associates | Call or email for info about
COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates