Solved

RDP over DNS name or IP

Posted on 2010-09-17
13
595 Views
Last Modified: 2012-05-10
Hi,

I have heard that a RDP Session over DNS name is less safe than over TCP?

Is that right?

regards
insi01
0
Comment
Question by:insi01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 3

Expert Comment

by:arweeks
ID: 33706095
I can't possibly imagine why.  I assume you mean using the name of the server, rather than the IP address.
The client will resolve the name to an ip address and connect using the IP anyway.  The client can't connect to a hostname over TCP/IP - only an IP address.  The only difference is whether you ask the client to resolve the name, rather than typing in the IP yourself.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33706180
Agreed - where did you hear this?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 33706206
No, this is not correct. RDP sessions over DNS is not less secure. The reason for dns is to resolve host names to ip addresses in the form of A records. To make browsing the internet user friendly instead of having to type in number in the form of ip addresses. If you have a properly configured router/firewall and are using strong passwords then you should have nothing to be concerned about. I do see the point your coming from, if you have dns records pointed at your public ip of your server then this can give some information over the internet. Where as if you just have a public ip of your network but no associated records then it's less invasive. But like I said, there is nothing wrong with RDP sessions via dns or ip address. Remember that a lot of engineers have to have host records in place for backup purposes, emails etc. Just make sure that the security of your network is intact. Strong passwords, properly configured router/firewall. You can use an external port scanner to scan your public ip to see what ports are open and you can do the same internally on you LAN.

Hope this helps.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33708623
Doesn't really matter since if you use actual name it will resolve to an IP address.
0
 

Author Comment

by:insi01
ID: 33712499
Hi All,

I try to clarify that in that way that I will contact the MCT who told that.

insi01
0
 

Author Comment

by:insi01
ID: 33729259
Hi All,

Sorry, I was wrong. He meant I should never use IP mapping network drives. I should use
Hostname or FQDN.

insi01
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33729332
You can use IP Mapping network drives actually IP network drives is a better solution then Hostname sometimes. If you have resolution issues then your network drives would not work this is why using IP address will allow you not rely on network name resolutions it instead it directly connects by IP address
0
 

Author Comment

by:insi01
ID: 33729603
dariusq,
yes but it is less safer than using Hostname because Kerberos is not used.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33734036
No, it all resolves to an IP address.
0
 

Author Comment

by:insi01
ID: 33762046
dariusq,

This is what the MCT said to me (translated with Office Translator):

...I said, when a network logon, such as network drive mapping, you better don't map it trough IP address, because Kerberos is levered this. Kerberos doesn't work with IP, only with host name or FQDN. If you use \\<server-ip>\Share e.g. using the UNC path, the server must use the NTLM authentication to forward your credentials to a DC (pass-thru). In this case a Kerberos ticket for the service (release) is not requested.  NTLM passthrough is not nearly as secure as Kerberos because you can capture the password hash and crack it easier. Would you mind used \\<serverNAME>\Share, a highly secure Kerberos get service ticket for a period of 10 hours (domain policy). During this time, the server must contact any DC. After 10 hours, the ticket is automatically renewed.</servername></server-ip>.

I hope it was translated understandable.

Regards
insi01
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33769712
Here is the thing when use \\servername this must be translated to an IP address. The client doesn't know where the server is unless it can find the IP of the server
0
 

Accepted Solution

by:
insi01 earned 0 total points
ID: 33798746
Work or use always with FQDN or host name, because the Kerberos SSP (security service provider) accepts only FQDN or hopstname. IP resolution happens in another layer and NOT through Kerberos.

insi01
0
 

Author Comment

by:insi01
ID: 33917786
The answer was given by an external Instructor
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question