cancel
Showing results for 
Search instead for 
Did you mean: 

Dangerous default re rDNS

racquel
Grafter
Posts: 181
Thanks: 4
Registered: ‎21-11-2008

Re: Dangerous default re rDNS

What does "avoidance of swear filter removed" mean? I didn't swear, or try and avoid the swear filter.
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Dangerous default re rDNS

The word you used had **** instead of letters to change it from an unacceptable word
racquel
Grafter
Posts: 181
Thanks: 4
Registered: ‎21-11-2008

Re: Dangerous default re rDNS

Yes, so if it was changed FROM an unacceptable word, then surely it was no longer unacceptable, so why re-censor a word which wasn't unacceptable?!  Crazy
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Dangerous default re rDNS

http://community.plus.net/forum/index.php/topic,218.0.html#post_censor
Quote
Use of inappropriate language
The use of swear words, or disguised swear words, in a post is not allowed on the forums. Any attempt to avoid the swear filter will be dealt with.
So changing the avoidance back to the undisguised word triggered the automatic word censor
Phileasfrog
Grafter
Posts: 51
Registered: ‎01-08-2007

Re: Dangerous default re rDNS

Not sure if it has been mentioned already however the link on the PN rDNS Help Assistant page (Tools to check your reverse DNS setup) links to Iptools.com but this is no longer of much use.  The domain appears to be for sale and and you are greeted by a load of the usual useless advert links!  Perhaps time to update?
I was also completely unaware of the default static IP setting when I migrated a month or so ago.  The default should be "static IP.plus.com".  There can be no valid reason or excuse to allow the username to be given.
Anonymous
Not applicable

Re: Dangerous default re rDNS

Quote
There can be no valid reason or excuse to allow the username to be given.

I think you are wrong, and that the username should be the default !.
If you are setting up a static IP address for your connection, then you are most likely doing it so that services that you are hosting on your connection can be accessed from the internet. 
For example you might want to host your own web server that can be accessed by family and friends, you wouldn't then tell your Grandma to open a web browser and type "http://212.159.234.210/photosdirectory/index.html", NO you would say type "www.myusername.plus.net" and click on "Photos".
Other than perhaps signing up for the ThinkBroadband quality monitor which monitors an IP address, most other services that externally access your static IP will be wanting your domain name - which in the simplest default case happens to be your Plusnet username.
Perhaps people should be more careful about choosing their Plusnet account username, if they intend to advertise it to the world.
Don't forget that if you are using your Plusnet account for your emails, then it won't be long before a spammer somewhere will know your Plusnet username because it forms part of the email address.
Crazy
What I do object to is that if you register a unique internet domain in the UK as a private individual, while you can ask for your address and phone number to be hidden, your full name DOES appear when you do a 'WhoIs' lookup on your domain.  Worse still is if you register for domains or IP address allocations from foreign companies, then they will often publish your full home address details, and possibly phone number, for everyone to see - SO BEWARE !
Angry
Phileasfrog
Grafter
Posts: 51
Registered: ‎01-08-2007

Re: Dangerous default re rDNS

I doubt that many would agree with you.  There are many reasons to want a static IP - mine is the ability to access IP Webcams externally.  At the very least, when a customer is asked to create a Username, PN should warn them clearly of the consequences if / when a static IP is requested, and what the default scenario will be - ie that their Username will effectively be advertised to the world.  I don't use PN for my emails - I have my own domain (hosted elsewhere). 
If you do want to advertise your Username then that is fine (and this will satisfy the needs of the example you gave), but the default, imho, should be for the IP address only, unless you specifically request PN.
Anonymous
Not applicable

Re: Dangerous default re rDNS

@Phileasfrog -
I couldn't find your webcam on the internet, but I did find your holiday photos amusing ! - Phileasfrog on holiday !  Grin
Phileasfrog
Grafter
Posts: 51
Registered: ‎01-08-2007

Re: Dangerous default re rDNS

I like it!
Bright
Grafter
Posts: 363
Registered: ‎02-02-2013

Re: Dangerous default re rDNS

Quote from: purleigh
I think you are wrong, and that the username should be the default !
...
Perhaps people should be more careful about choosing their Plusnet account username, if they intend to advertise it to the world.

Sorry, I have to disagree  Smiley
When I chose my Plusnet username I was under the impression I was choosing one half of the login credentials for my account. It didn't even cross my mind that, with a fixed IP, PN would advertise my username to every single web site I visit and they certainly didn't tell me what it would/could be used for. So the safer default option would be to use the IP address for rDNS, as Phileasfrog suggests. Then for those users who want a more memorable URL for their granny, they can either use their own domain name (my choice) or their username if they, personally, are comfortable with that. I get the impression racquel wasn't!  I'm not either.
kmilburn
Grafter
Posts: 911
Thanks: 6
Registered: ‎30-07-2007

Re: Dangerous default re rDNS

In fact,  changing the rDNS setting has no impact on the main DNS entry as they don't have to be symmetrical.
For example,  212.159.6.9 resolves as cdns01.plus.net,  while cdns01.plus.net doesn't resolve.
So changing the rDNS setting to your ip address makes no difference to your DNS entry,  and you can still be accessed by username.plus.com.
racquel
Grafter
Posts: 181
Thanks: 4
Registered: ‎21-11-2008

Re: Dangerous default re rDNS

Quote from: Bright
When I chose my Plusnet username I was under the impression I was choosing one half of the login credentials for my account. It didn't even cross my mind that, with a fixed IP, PN would advertise my username to every single web site I visit and they certainly didn't tell me what it would/could be used for.

Me too. In fact, here's a reply from Plusnet just now:
Quote
Thank you for getting back to us.
Unfortunately I would be unable to refund the £5 charge [actually 2*£5 now], as this is the standard charge for adding a static IP. If you did wish for us to re-add a static IP, I could have done this with no additional cost to yourself and arrange for the rDNS to be updated as part of this, but as you added this via the portal this amount was applied to your account correctly.
I can confirm that as part of the sign up journey we do indicate that the username will form part of your email address as shown below:

I appreciate that we are currently talking about the rDNS of the static IP but the principle is the same, we do advise that your username will be viewable as part of your email address and as this is the case we would not consider this a breach of the Data Protection Act.
If you wish to raise a complaint regarding this, you can do so at the following link: Complaints Policy.

So they can't tell me where, on any of these pages, that it warns me that my username will be in the rDNS?
https://www.plus.net/AddOns.html
http://www.plus.net/support/broadband/products/IP_addresses_broadband.shtml
http://www.plus.net/support/customer_service/using/usernames_guide.shtml
There's a help-page at https://www.plus.net/wizard/?p=wizard&page=22425&wizard_id=38 which talks about the default rDNS settings.
At the foot of which is a link to http://www.iptools.com/ which is a domain for sale (very helpful).
This help page is not linked to from any of the static IP signup pages.
Quote
I appreciate that we are currently talking about the rDNS of the static IP but the principle is the same".
In what way is a clear note that my username will be the same as my email address which I choose to give out or not, "the same principle" as telling every website I visit my plusnet username without any warning? Particularly as this would be a change from one situation to another.
Quote
If you did wish for us to re-add a static IP, I could have done this with no additional cost to yourself and arrange for the rDNS to be updated as part of this, but as you added this via the portal this amount was applied to your account correctly.

Where does it say that?! So it's cheaper for you to have me holding for 30 minutes and get someone to physically do something, that it is for me to click a button?!
Needless to say I've just replied to the ticket asking for clarification and whether this is PN's final answer before starting the process at http://www.ico.gov.uk/complaints/handling.aspx
pwatson
Rising Star
Posts: 2,470
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Dangerous default re rDNS

Quote from: Bright
Quote from: purleigh
I think you are wrong, and that the username should be the default !
...
Perhaps people should be more careful about choosing their Plusnet account username, if they intend to advertise it to the world.

Sorry, I have to disagree   Smiley

+1
Plusnet ought default to something anonymous and offer the option to associate the username with the rDNS entry.  I don't use Plusnet email so, now the rDNS entry is IP based, there's nothing that advertises my username...
Bright
Grafter
Posts: 363
Registered: ‎02-02-2013

Re: Dangerous default re rDNS

Quote from: kmilburn
In fact,   changing the rDNS setting has no impact on the main DNS entry as they don't have to be symmetrical.

They don't have to be, but it's generally considered good practice if they are. Indeed some services won't work if the forward and reverse DNS entries don't match.
@racquel
Like you, I wasn't very pleased to discover my username being accessible to every site I visit on the internet (especially as it reveals my identity), although I'm not as angry about it as you are. If you do go as far as complaining to the ICO, I'll be interested to know what their response is. Keep us posted about how you get on with them and PN!
BTW, in Plusnet's defence, I think defaulting to the username was probably a policy decision made before security/privacy became such a strong concern. Somebody didn't really think through the possible consequences. Although I'm surprised that fixing it hasn't been a higher priority.
Phileasfrog
Grafter
Posts: 51
Registered: ‎01-08-2007

Re: Dangerous default re rDNS

I applied entirely over the 'phone and was requested to give a Username.  At no time was I given the warning about the ongoing consequence of requesting a static IP.  When my BB was active I phoned again and requested a static IP - again with no further info or warning.