I have installed a number of networks with PIX firewalls. I never have end
clients do DNS. I always have an internal DNS box that does the lookups.
Two reasons:
1. I can ensure that the internal DNS box has the latest version of various
bug fixes.
2. I reduce internet bandwidth. The second guy to go to CNN.com doesn't
generate internet traffic.
I can't imagine that your parent company doesn't do the same.
Ultimately, somebody has to do the DNS lookup and return the results to
somebody. So have one guy do all the DNS lookups, cache the results, and
supply everyone else.
=========================
Paul H. Gracy
[EMAIL PROTECTED]
phone: 404 705 2873
#include <std.disclaimer>
=========================
> -----Original Message-----
> From: Jason Haar [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, March 02, 1999 8:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Are there security downsides to allowing outgoing
> Internet DNS queries?
>
> On Tue, Mar 02, 1999 at 05:59:24PM -0500, Larry Cannell wrote:
> > I can appreciate the concern you have regarding DNS. I am wondering how
> > would you support applications that NEED the DNS information (apps like
> > NetMeeting which does not have proxy support and needs to connect to any
> > number of external data conference servers).
>
> Hmm - sounds like I should have provided more info after all..
>
> Netmeeting isn't a problem as netmeeting isn't supported :-)
>
> Ours is a proxy-based firewall - which means I really don't have to worry
> about our internal DNS having no access to the Internet's DNS servers.
> However, our parent company has decided to go with a PIX (read: NAT or
> transparent firewall) solution which means they do have access to Internet
> DNS servers.
>
> My concern was when their users come over to our network and plug in,
> nothing will work as their firewall design and ours are at almost opposite
> ends of the spectrum. If I allowed DNS through, then some tricks are made
> available to me to help ease the confusion.
>
> What I wish was available was a "fake" DNS server where I could wildcard
> all
> "A" records to point to an internal box running things like a web server
> that returns a page telling users they have to configure their browser to
> use our proxy!
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Network Specialist, Trimble NZ
> Phone: +64 3 3391 377 Fax: +64 3 3391 417
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
