Well, although I didn't do it very gracefully, our firewall has forward
and reverse information for all the possible hosts on our networks. It
doesn't reflect any real names, but there's a name (an A record) and an
address (PTR record) that correctly point at each other (alas, that
makes for *huge* zone transfers (we have a class B and a handful of
class Cs)). That solves the problem of machines like ftp.uu.net that
do a double-reverse lookup (I think I first saw that term in Cheswick &
Bellovin; cute!). On the other hand, what we let through the various
routers and firewall machine itself is a different story....
However, I do agree that, except for whatever naming conventions you
use that might give away information about the organization, there
really isn't much point in hiding names or addresses in DNS-land. I
did it here only at the "request" of my boss's boss. Of course, one
could figure out some interesting things like which machines are
sysadmin machines from our internal names, and thereby possibly make
them targets.
Marty Shannon
--
Marty Shannon | SunOS System Administrator | Bill Gates can't
TIAA-CREF 3rd Floor | SVR3 System Administrator | borrow enough to
730 3rd Avenue | UUCP Guru (Don't Tell!) | make me do Windows!
New York City, NY 10017 | Solaris System Administrator | Sigh.
|
|
