On Tue, 2 Mar 1999, Jason Haar wrote:
:Says it all really.
:
:I'm setting up a proxy-based firewall, and am tossing up between only
:allowing the DMZ hosts to have access to Internet DNS servers, or allowing
:the internal DNS servers to forward to the DMZ DNS server. The latter would
:then allow internal users to lookup Internet hosts - even though they
:couldn't then connect to them.
:
:I have my reasons for wanting the latter, but am concerned that I may be
:compromising some security in the process. I can't think of anything myself...
:
:So the million dollar question is: does allowing internal hosts to do DNS
:lookups compromise anything?
Short answer: Maybe .
Depending on your level of paranoia, you may worry about cache poisoning
from information coming into your nameserver that is relied upon by
your internal hosts. If they can't get out of the network anyway,
it doesn't matter. Even if they did, the attack would require knowledge
of the hostnames of your internal network (which are assumed to be
unqueryable) and that the user was allowed to telnet out of your
network. This would also assume that there was some sort of access
via the external firewall interface to the internal network.
See CERT Advisory CA-97.22 for the vague cert-like hand-wavy details
of DNS poisoning.
It is good to keep inside dns and outside dns seperate, if not to alleviate
esoteric threats, at least for posterity;)
If users can't connect to outside hosts anyway, why do they need to know
about them? It's using the principle of getting access on a need-to-know
basis.
A potential solution to this would be to use a web cache in your DMZ
which would handle lookups and allow you to filter content, if web
access is indeed your reason for allowing dns traffic.
I hope this has been of some help. I am speculating
wildly about your policy and network setup, so YMMV. :)
-j
--
jamie.reid
Chief Reverse Engineer
Superficial Intelligence Research Division
Defective Technologies
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
