If you set up internet, intranet and DMZs, a split DNS is must. Never go
wrong to set up access lit on router to control a certain types of
traffic. Also if you use Solaris 2.6 and up, put the following lines in
/etc/system file and reboot it:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
these statements disable execution permission for the stack memory
segment(s) and effectively cut down the possibilities of user programs'
buffer overflow toward OS.
_ming
On Thu, 4 Mar 1999, Jason Haar wrote:
> On Wed, Mar 03, 1999 at 06:37:41AM -0500, Larry Chin wrote:
> > sounds like you need that ole split brain DNS ala my note ( which I think
> > ) I hurriedly sent yesterday.
>
> Your suggestion explains _exactly_ what I was looking at. I'm still
> concerned that DNS could be used for exploitation:
>
> e.g.
>
> * Firewall runs bind-8.1.2
> * Badguy controlling external DNS server puts in huge A record for common
> destination in an attempt to generate buffer overflow exploit on remote hosts
> * Internal (say, WinNT) user looks up host
> * Firewall does lookup and returns result to WinNT host
> * exploit occurs on internal host.
>
> With no transparent proxies - only manual ones - this couldn't happen as the
> internal host would never do an Internet lookup. At worst the firewall could
> be compromised. This is infinitely preferrable IMHO as that's the one
> component of the network that is actively monitored for such events.
>
> I think that talking about all this has made the decision for me :-)
>
>
> Thanks for all the input I received.
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Network Specialist, Trimble NZ
> Phone: +64 3 3391 377 Fax: +64 3 3391 417
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
============================================================================
Ming Lu Email: [EMAIL PROTECTED]
Sr. Network Engineer Phone: 703-689-5290 (w)
IP Engineering 703-855-4194 (m)
Global One Telecommunications, LLT. 703-689-6575 (f)
============================================================================
"Do not pay attention to every word people say, or you may hear your
servant cursing you ---- for you know in your heart that many times you
yourself have cursed others."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
