I can appreciate the concern you have regarding DNS. I am wondering how
would you support applications that NEED the DNS information (apps like
NetMeeting which does not have proxy support and needs to connect to any
number of external data conference servers).
Larry
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Bennett Todd
> Sent: Tuesday, March 02, 1999 10:56 AM
> To: Jason Haar
> Cc: [EMAIL PROTECTED]
> Subject: Re: Are there security downsides to allowing outgoing Internet
> DNS queries?
>
>
> 1999-03-01-23:13:42 Jason Haar:
> > I'm setting up a proxy-based firewall, and am tossing up between only
> > allowing the DMZ hosts to have access to Internet DNS servers,
> or allowing
> > the internal DNS servers to forward to the DMZ DNS server.
>
> This is my favourite setup: non-transparent proxies running on
> the firewall,
> no external DNS visible inside.
>
> A big reason is that DNS data is untrustworthy, but client SW isn't always
> written with that in mind. I'm reminded of a moderately serious wave of
> breakins a couple of years back, wherein the intruders would take
> over a DNS
> server somewhere, then launch an attack from that machine against
> a victim,
> and while I don't precisely remember the details (which daemon, I
> think it was
> either talkd or fingerd) the gist was that some daemon did a
> reverse lookup on
> the incoming IP addr, and stuffed the returned result into a
> fixed-size buffer
> without checking it; someone managed to plant a stack-whomp root
> compromise in
> that returned DNS data. Ka-Boom!
>
> Don't let internet DNS data past the bastion host.
>
> Run your own private internal DNS, or a smaller-scale name
> service like NIS or
> NIS+, or just push hosts files around, whatever is the best fit
> for your net's
> size, complexity, diversity, etc. Don't make internet DNS visible.
>
> -Bennett
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
