topic Re: Dangerous default re rDNS in Plusnet Feedback

Dangerous default re rDNS

Estragon — Fri, 01 Feb 2013 18:40:41 GMT

I have always known that any site I visit can see my IP address. But I was genuinely appalled a few minutes ago to discover that if they do a Reverse DNS check on that address, it reveals my account username.
As suggested by Oldjim in reply to this post I have raised a ticket to stop this.
Surely the default should be not to reveal this? There are only two things preventing a hack, the username and the password, and revealing the first severely compromises the customer's security.
_{Edit - typo.}

Re: Dangerous default re rDNS

AndyH — Fri, 01 Feb 2013 19:58:14 GMT

Same here...didn't realise that! But I think it's automated when I requested a static IP.

Re: Dangerous default re rDNS

Gus — Fri, 01 Feb 2013 20:12:33 GMT

raise a ticket and request a rdns change, you can choose what you want within reason or just have it show your IP address

Re: Dangerous default re rDNS

itsme — Fri, 01 Feb 2013 21:08:04 GMT

Don't you give away your username if you use your PN email address?

Re: Dangerous default re rDNS

Estragon — Fri, 01 Feb 2013 21:30:42 GMT

I don't even know my Plusnet email address :P.

Re: Dangerous default re rDNS

Gus — Fri, 01 Feb 2013 21:46:40 GMT

anything@username.plus.com

Re: Dangerous default re rDNS

Estragon — Fri, 01 Feb 2013 23:07:20 GMT

A good reason not to use it then.

Re: Dangerous default re rDNS

Oldjim — Sat, 02 Feb 2013 11:09:16 GMT

Spotted at TBB - this is the relevant page for requesting a change https://www.plus.net/wizard/?p=wizard&page=22425&wizard_id=38

Re: Dangerous default re rDNS

Estragon — Sat, 02 Feb 2013 23:22:34 GMT

Yes, I saw that as well Jim, and your post saying you had posted it here.
But none of this addresses the basic issue. The default should be to the IP address alone, not the account username. It is simply incomprehensible and very insecure for it to be as it is, without even a warning at request time through the Member Centre.

Re: Dangerous default re rDNS

adamwalker — Mon, 04 Feb 2013 10:11:47 GMT

I understand your concern, however nothing at all can be done with a username without its accompanying password. I'm not saying that as an excuse more to belay any belief that it could be seen as a security breach.

Re: Dangerous default re rDNS

Bright — Tue, 05 Feb 2013 09:39:16 GMT

The security of my Plusnet account is protected by two text strings. One is called "username" and the other is called "password". Anyone who knows both can access my account.
With the current default for rDNS on fixed IPs, I potentially reveal my username to every site I visit on the internet. By definition, that therefore reduces the security of my account, although it doesn't breach it. My account is still protected by the complexity of the password I have chosen. Given what we now know about the poor password practices employed by MOST internet users (who are all human, after all), the revelation of the username is significant. It would be good security practice to eliminate this issue.

Re: Dangerous default re rDNS

orbrey — Tue, 05 Feb 2013 14:15:24 GMT

See what you're saying, but this only happens with static IPs which wouldn't really be used by less IT literate people?
Just playing devil's advocate rather than trying to say the idea's without merit, we'll make sure it's passed on.

Re: Dangerous default re rDNS

Estragon — Tue, 05 Feb 2013 16:19:38 GMT

Quote from: Matt
... but this only happens with static IPs which wouldn't really be used by less IT literate people?.

Even then, IT literate people are unlikely to have a 64-character alphanumeric plus special character password ;). Several may also ask for a static IP address just so they can run the TBB BQM, (which is my only need for one), without really being particularly savvy.
How many password attempts are allowed before the system locks the account access please Matt?

Re: Dangerous default re rDNS

orbrey — Thu, 07 Feb 2013 09:59:55 GMT

Sorry for the delay in response. I believe it's ten, and then all attempts are blocked and our networks security team are notified directly.

Re: Dangerous default re rDNS

gordonsuk — Thu, 07 Feb 2013 10:20:39 GMT

Not wanting to hijack the thread, but I thought this was relevant.
Just had reply to a ticket asking for a change to rDNS, have been told that it does not resolve to the ip. However on checking via several sites they all show it resolves to the correct static ip. Come on Plusnet get it right!!!

Re: Dangerous default re rDNS

orbrey — Thu, 07 Feb 2013 11:20:51 GMT

Hi there,
Really sorry about that - I've fed back to the agent directly and he's picking it up again now. The change should be made for you shortly.

Re: Dangerous default re rDNS

orbrey — Thu, 07 Feb 2013 11:30:43 GMT

Ah, apologies - the domain may resolve to that IP but you've not got an A record set up which is why the rDNS is failing. If you could get that added via your domain control panel we can get it sorted for you.

Re: Dangerous default re rDNS

gordonsuk — Thu, 07 Feb 2013 11:39:51 GMT

Not sure what's going on here. But feel free to check again, have confirmed an A record does exist.

Re: Dangerous default re rDNS

orbrey — Thu, 07 Feb 2013 11:53:25 GMT

An A record exists for the root of the domain, the issue is the CNAME record that's pointing mail.domain to the IP the root domain points to. If this is swapped for an A record (as per Bob's response to you on your ticket) we'll be able to make the change for you - though unfortunately we'll need to wait for DNS propagation before it's picked up.
Hope that helps explain.

Re: Dangerous default re rDNS

gordonsuk — Thu, 07 Feb 2013 11:59:41 GMT

Thanks guys -Hopefully the update will not take to long.