Re: Calling David Copeland regarding .local convention

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jeff L (newsgroupsremoveandunderscore_jeff_at_availabletech.net)
Date: 05/26/04 

Date: Wed, 26 May 2004 10:09:40 -0400

You are right Gordon,

Properly executed and planned protection can stop a would be hacker.

Consider this:
Let say a consultant walks in to a business and sets up a fully secure and
protected network. It uses sbs.example.com. The consultant leaves and the
in-house admin takes over. The in house admin wants to set up an intranet
site but has problems resolving the name through DNS(Give me a little leeway
here: consider the admin is relatively inexperienced [a fresh MCSE]). They
make some changes to DNS and the firewall while trying to get their intranet
site to resolve in a timely manner.

They fail to consider the broader picture and have made a "few extra clicks"
in their trial and error approach to administration.

My questions are:
1) How do you feel about their security now?

2) Who do you think the internal admin is going to blame three months later
when they get hacked?

3) What is the difference between the situation if they have
.com?
.local?
.lan?
.otl?

Cheers,
Jeff Loucks
       Available Technology ®
            Solutions For Professionals ®
                  www.availabletechnology.com

"Gordon Fecyk" <gordonf@pan-am.ca> wrote in message
news:OOfUB4qQEHA.2452@TK2MSFTNGP11.phx.gbl...
> > 4) If you were to use the .com domain name and not something like
> > corp.contoso.com and then wanted to host your DNS for the Internet would
> you
> > really want your internal records in the same zone as the public zone?
>
> Now that's an interesting question...
>
> I know there's a potential for attack if an attacker knows where the
domain
> controllers are by querying a domain's public DNS. But wouldn't that
> knowledge be useless to the attacker if, say the DCs were on private IPs
> sitting behind a NAT? And the only public IPs being mapped to names were
> things like "mail", "www" and so on that are actually being mapped to the
> NAT and port-forwarded?
>
> Let's take a hypothetical look at example.com, a ficticious SBS-hosted
> domain. sbs.example.com sits at 192.168.0.1 and the NAT router sits at
> 192.168.0.254. The NAT gets a static, public IP (let's say 192.0.2.66 for
> example) and I port-forward services I want to port-forward to sbs: SMTP,
> DNS, HTTP, HTTPS, PPTP (TCP 1723 and Protocol 47).
>
> I have the standard bunch of records (SOA, NS, _msdcs, _sites, _tcp and
_udp
> trees automatically created by AD) all pointing to the internal server
name
> which points to the private IP, and all the stations have dynamic DNS with
> private IPs, and finally I have some hardwired records pointing to the
> public IP on the NAT (mail, www, ns1, pptp) so this thing's reachable by
> name out on the net. The DNS Service uses my ISP's DNS servers as
> forwarders for queries. A single DNS server out on the net has zone
> transfer access to be my backup DNS, and I've tested it so it doesn't
allow
> zone transfers past it.
>
> So the attacker knows the names of my internal machines and the stuff
stored
> in the "_" trees... if they want to walk down the whole DNS tree because
> zone transfers were blocked. What will that tell them that they don't
> already know by looking up a Microsoft KB article describing all the
> services running on SBS? And if the NAT's doing its job, if the server's
> patched up to date, if IIS Lockdown was run, if other best practices were
> used, what can the attacker do?
>
> --
> PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
> What's a PGP Key? See <http://www.pan-am.ca/free.html>
> GOD BLESS AMER, er, THE INTERNET.
<http://vmyths.com/rant.cfm?id=401&page=4>
>
>

Relevant Pages

  • Re: DNS domain name same as AD domain
    ... Or should I change the DNS domain first to something else? ... For any host name that you wish to have access from both your internal network and from the external Internet you need scenario 1, although it is the most DNS-intensive over time. ... Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet. ...
    (microsoft.public.windows.server.dns)
  • Re: .com versus.local
    ... DNS and public names on the internet etc but I have never had someone ... All DNS entries are help at the ISP. ... external Internet you need scenario 1, although it is the most DNS-intensive ... Each DNS zone is authoritative for the zone of that name so ...
    (microsoft.public.windows.server.dns)
  • Re: AD DNS naming
    ... my e-mail and Site Internet." ... infrastructure (mostly with respect to DNS and VPN). ... If you do not select this option and go with scenario 2 ... Each DNS zone is authoritative for the zone of that ...
    (microsoft.public.windows.server.dns)
  • Re: How many Global Catalog Servers are needed?
    ... make for an AD DNS FQDN domain name, ... external Internet you need scenario 1, although it is the most DNS-intensive ... Each DNS zone is authoritative for the zone of that name so ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain naming strategies
    ... a delegation to an unreachable internal dns server. ... my e-mail and Site Internet." ... network and from the external Internet you need scenario 1, ... Each DNS zone is authoritative for the zone of that name so ...
    (microsoft.public.windows.server.active_directory)