cancel
Showing results for 
Search instead for 
Did you mean: 

Dangerous default re rDNS

Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Dangerous default re rDNS

I have always known that any site I visit can see my IP address. But I was genuinely appalled a few minutes ago to discover that if they do a Reverse DNS check on that address, it reveals my account username.
As suggested by Oldjim in reply to this post I have raised a ticket to stop this.
Surely the default should be not to reveal this? There are only two things preventing a hack, the username and the password, and revealing the first severely compromises the customer's security.
Edit - typo.
80 REPLIES 80
AndyH
Grafter
Posts: 6,824
Thanks: 1
Registered: ‎27-10-2012

Re: Dangerous default re rDNS

Same here...didn't realise that! But I think it's automated when I requested a static IP.
Gus
Aspiring Pro
Posts: 3,236
Thanks: 26
Fixes: 3
Registered: ‎31-07-2007

Re: Dangerous default re rDNS

raise a ticket and request a rdns change, you can choose what you want within reason or just have it show your IP address
FTTP 500 regrade from Tues 28th November
itsme
Grafter
Posts: 5,924
Thanks: 3
Registered: ‎07-04-2007

Re: Dangerous default re rDNS

Don't you give away your username if you use your PN email address?
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Re: Dangerous default re rDNS

I don't even know my Plusnet email address  :P.
Gus
Aspiring Pro
Posts: 3,236
Thanks: 26
Fixes: 3
Registered: ‎31-07-2007

Re: Dangerous default re rDNS

anything@username.plus.com
FTTP 500 regrade from Tues 28th November
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Re: Dangerous default re rDNS

A good reason not to use it then.
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Dangerous default re rDNS

Spotted at TBB - this is the relevant page for requesting a change https://www.plus.net/wizard/?p=wizard&page=22425&wizard_id=38
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Re: Dangerous default re rDNS

Yes, I saw that as well Jim, and your post saying you had posted it here.
But none of this addresses the basic issue. The default should be to the IP address alone, not the account username. It is simply incomprehensible and very insecure for it to be as it is, without even a warning at request time through the Member Centre.
adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 16,871
Thanks: 882
Fixes: 221
Registered: ‎27-04-2007

Re: Dangerous default re rDNS

I understand your concern, however nothing at all can be done with a username without its accompanying password. I'm not saying that as an excuse more to belay any belief that it could be seen as a security breach.
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
Bright
Grafter
Posts: 363
Registered: ‎02-02-2013

Re: Dangerous default re rDNS

The security of my Plusnet account is protected by two text strings. One is called "username" and the other is called "password". Anyone who knows both can access my account.
With the current default for rDNS on fixed IPs, I potentially reveal my username to every site I visit on the internet. By definition, that therefore reduces the security of my account, although it doesn't breach it. My account is still protected by the complexity of the password I have chosen. Given what we now know about the poor password practices employed by MOST internet users (who are all human, after all), the revelation of the username is significant. It would be good security practice to eliminate this issue.
orbrey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 10,540
Registered: ‎18-07-2007

Re: Dangerous default re rDNS

See what you're saying, but this only happens with static IPs which wouldn't really be used by less IT literate people?
Just playing devil's advocate rather than trying to say the idea's without merit, we'll make sure it's passed on.
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Re: Dangerous default re rDNS

Quote from: Matt
... but this only happens with static IPs which wouldn't really be used by less IT literate people?.
Even then, IT literate people are unlikely to have a 64-character alphanumeric plus special character password  ;). Several may also ask for a static IP address just so they can run the TBB BQM, (which is my only need for one), without really being particularly savvy.
How many password attempts are allowed before the system locks the account access please Matt?
orbrey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 10,540
Registered: ‎18-07-2007

Re: Dangerous default re rDNS

Sorry for the delay in response. I believe it's ten, and then all attempts are blocked and our networks security team are notified directly.
gordonsuk
Grafter
Posts: 39
Registered: ‎20-01-2013

Re: Dangerous default re rDNS

Not wanting to hijack the thread, but I thought this was relevant.
Just had reply to a ticket asking for a change to rDNS, have been told that it does not resolve to the ip. However on checking via several sites they all show it resolves to the correct static ip. Come on Plusnet get it right!!!