Anybody who lets NetMeeting through their firewall has much more serious
security concerns than public DNS attacks might pose.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Larry Cannell
> Sent: Tuesday, March 02, 1999 2:59 PM
> To: Bennett Todd; Jason Haar
> Cc: [EMAIL PROTECTED]
> Subject: RE: Are there security downsides to allowing outgoing Internet
> DNS queries?
>
>
> I can appreciate the concern you have regarding DNS. I am wondering how
> would you support applications that NEED the DNS information (apps like
> NetMeeting which does not have proxy support and needs to connect to any
> number of external data conference servers).
>
> Larry
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Bennett Todd
> > Sent: Tuesday, March 02, 1999 10:56 AM
> > To: Jason Haar
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Are there security downsides to allowing outgoing Internet
> > DNS queries?
> >
> >
> > 1999-03-01-23:13:42 Jason Haar:
> > > I'm setting up a proxy-based firewall, and am tossing up between only
> > > allowing the DMZ hosts to have access to Internet DNS servers,
> > or allowing
> > > the internal DNS servers to forward to the DMZ DNS server.
> >
> > This is my favourite setup: non-transparent proxies running on
> > the firewall,
> > no external DNS visible inside.
> >
> > A big reason is that DNS data is untrustworthy, but client SW isn't always
> > written with that in mind. I'm reminded of a moderately serious wave of
> > breakins a couple of years back, wherein the intruders would take
> > over a DNS
> > server somewhere, then launch an attack from that machine against
> > a victim,
> > and while I don't precisely remember the details (which daemon, I
> > think it was
> > either talkd or fingerd) the gist was that some daemon did a
> > reverse lookup on
> > the incoming IP addr, and stuffed the returned result into a
> > fixed-size buffer
> > without checking it; someone managed to plant a stack-whomp root
> > compromise in
> > that returned DNS data. Ka-Boom!
> >
> > Don't let internet DNS data past the bastion host.
> >
> > Run your own private internal DNS, or a smaller-scale name
> > service like NIS or
> > NIS+, or just push hosts files around, whatever is the best fit
> > for your net's
> > size, complexity, diversity, etc. Don't make internet DNS visible.
> >
> > -Bennett
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
