Infoirmation disclosure by design worries.

Discussion in 'General' started by djtremors, Nov 5, 2006.

  1. djtremors

    djtremors New Member

    hey all,

    I just noticed something I'm not feeling comfortable with and i don't know if any other users of ISPC would be happy with either.

    The reverse pointer records for the IP address the ispconfig server is configured on displays all hosted sites that are on it. This is something i'm not comfortable with even though it's an easy hack to do to remove this in code.

    command below displays every web site hosted by my mates ISPConfig server when using the real name and reversed IP address.
    dig @matesserver.com.au ess.dr.add.his.in-addr.arpa IN PTR

    Now, at my work we host 40-50 sites and I have never had the need to put reverse IP records in and has never had problems doing this. Is there anything that makes this absolutely needed as I prefer to remove these records.

    My basic worry is that it exposes anyone who knows you have ISPC running what sites you host and how many. A leak i wouldn't want.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    We add the reverse records because some large mail providers like hotmail or the german provider web.de tend to mark your mails as spam if you dont have a reverse record.

    But it might be a good idea to add a checkbox to disable reverse DNS for domains.
     
  3. djtremors

    djtremors New Member

    my ISP hold the records for the IP and I only need 1 name to it and not all the hosted names and yet I still get hotmail fine. I can't say much about german providers though.

    I think having just the hosting servers name in their to begin with and enable per domain as you said would be good.
     

Share This Page