Re: Are there security downsides to allowing outgoing Internet DNSqueries?

Wed, 3 Mar 1999 07:36:54 -0500 

sounds like you need that ole split brain DNS ala my note ( which I think
) I hurriedly sent yesterday.

Are you running transparent proxies ? If so, with split brain DNS and
transparent proxies, there wouldn't be any need for your wildcard A record
and web page for users telling them to use the proxies.

 
===================================================================
Larry Chin {[EMAIL PROTECTED]}      Technical Specialist - ISC
Sprint Canada                     2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693     Suite 200, North York, Ontario
Fax:   416.498.3507               M2J 5E6
===================================================================

On Wed, 3 Mar 1999, Jason Haar wrote:

> On Tue, Mar 02, 1999 at 05:59:24PM -0500, Larry Cannell wrote:
> > I can appreciate the concern you have regarding DNS. I am wondering how
> > would you support applications that NEED the DNS information (apps like
> > NetMeeting which does not have proxy support and needs to connect to any
> > number of external data conference servers).
> 
> Hmm - sounds like I should have provided more info after all..
> 
> Netmeeting isn't a problem as netmeeting isn't supported :-)
> 
> Ours is a proxy-based firewall - which means I really don't have to worry
> about our internal DNS having no access to the Internet's DNS servers.
> However, our parent company has decided to go with a PIX (read: NAT or
> transparent firewall) solution which means they do have access to Internet
> DNS servers. 
> 
> My concern was when their users come over to our network and plug in,
> nothing will work as their firewall design and ours are at almost opposite
> ends of the spectrum. If I allowed DNS through, then some tricks are made
> available to me to help ease the confusion.
> 
> What I wish was available was a "fake" DNS server where I could wildcard all
> "A" records to point to an internal box running things like a web server
> that returns a page telling users they have to configure their browser to
> use our proxy! 
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Unix/Network Specialist, Trimble NZ
> Phone: +64 3 3391 377 Fax: +64 3 3391 417
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to