On Wed, Mar 03, 1999 at 06:37:41AM -0500, Larry Chin wrote:
> sounds like you need that ole split brain DNS ala my note ( which I think
> ) I hurriedly sent yesterday.
Your suggestion explains _exactly_ what I was looking at. I'm still
concerned that DNS could be used for exploitation:
e.g.
* Firewall runs bind-8.1.2
* Badguy controlling external DNS server puts in huge A record for common
destination in an attempt to generate buffer overflow exploit on remote hosts
* Internal (say, WinNT) user looks up host
* Firewall does lookup and returns result to WinNT host
* exploit occurs on internal host.
With no transparent proxies - only manual ones - this couldn't happen as the
internal host would never do an Internet lookup. At worst the firewall could
be compromised. This is infinitely preferrable IMHO as that's the one
component of the network that is actively monitored for such events.
I think that talking about all this has made the decision for me :-)
Thanks for all the input I received.
--
Cheers
Jason Haar
Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
