OK, I admit I'm a complete dummy. How does one set up transparent proxy? I
use Site Patrol from BBN for proxy so essentially I can't touch it, but I
can ask them to change it for me. Also while we're on the subject, DNS on
NT, since I don't do DNS lookups directly on the Internet, should I set my
"root DNS server" to point to my internal DNS server as root?
TIA
-----Original Message-----
From: Larry Chin [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, March 04, 1999 9:56 AM
To: Jason Haar
Cc: [EMAIL PROTECTED]
Subject: Re: Are there security downsides to allowing
outgoing Internet DNS queries?
<stuff deleted>
> * Firewall runs bind-8.1.2
> * Badguy controlling external DNS server puts in huge A record for
common
> destination in an attempt to generate buffer overflow exploit on
remote hosts
Hmmm, could you refresh my memory on thisone ? I can't recall the
nature of this exploit. Perhaps I can make some intelligent
comment
and not look like a putz.
> * Internal (say, WinNT) user looks up host
> * Firewall does lookup and returns result to WinNT host
> * exploit occurs on internal host.
> With no transparent proxies - only manual ones - this couldn't
happen as the
> internal host would never do an Internet lookup.
Hmmm, no I don't think so. AFAIK, a transparent proxy is
"transparent"
only in that the end user doesn't have to configure their machine
to say
"use proxy". The firewall proxy still operates by taking traffic
from
the end user, and then resending it from the firewall.
Whether you are using transparent or non-transparent proxies, with
a
split brain DNS your internal clients should all be pointing at
your
internal DNS server. The server would then take care of obtaining
the
requested information. In this way there is a total disconnect
between
the requesting end user's machine and the outside world.
You could still get DNS poisoning etc. I guess, but I can't think
of any
way that a remote exploit could be launched against an end user,
but as
I mentioned maybe you could refresh my memory.
< more stuff deleted>
===================================================================
Larry Chin {[EMAIL PROTECTED]} Technical Specialist - ISC
Sprint Canada 2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693 Suite 200, North York, Ontario
Fax: 416.498.3507 M2J 5E6
===================================================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]