hi david
yes,.... you're right in that ...
guess i am being unclear.... i mean that if the root servers
says that foo.com is at (primary) 1.2.3.4 and 5.6.7.8(secondary)
and if there is no dns nor fw at those ip...than
they will not get any replies from the "fw"...
--
-- am saying that usually, the firewall should be using those (dns) ip#...
--
-- and the firewall forwards the port53 dns queries to the real
-- dns servers running bind/named/permutations...
===
=== even if the firewall only has linux kernel, bash, libc, ssh, ipchains
=== and other "required apps"... the firewall is still exploitable...
===
=== a webserver running apache is not much different than a server
=== running ipchains and therefore called a firewall...
=== there's more to it...than just "ipchains" and which
=== services/daemons is running on it
===
=== having bind-8.2.2 running makes it easier to get into the
=== badly coded dns server...even worst if one was silly enough
=== to have it running on the fw
===
sometimes pictures help .... a lot to help explain
WTF i meant... :-) ... sorry for the confusions...
thanx
alvin
On Mon, 7 May 2001 [EMAIL PROTECTED] wrote:
> > - first you hit the dns server...than the firewall
> >
> > - take away the primary and secondary dns
> > and nobody will find your firewall
>
> This is ABSOLUTELY not true:
>
> 1. How do people find your primary DNS? Hint: It's NOT magic. The
> domain registration records/root DNS servers tell where to find the
> primary/secondary(/tertiary/etc) DNS servers for the foo.com domain;
> they don't even have to be at the same site as your firewall, but if
> the root servers say they are, callers will be directed to/via your
> firewall even if the DNS servers are "taken away".
>
> 2. A significant proportion of the DNS traffic I've seen logged (at
> the firewall...) in the last six months has been sweeps/probes
> looking for vulnerable BIND installations. The prober has NO IDEA
> what domain they're probing or where its DNS is served from. In
> fact, lots of non-DNS traffic caught by my firewall is from folks who
> obviously are using raw IP addresses and not host/domain names, yet
> they manage to find my firewall just fine.
>
> DNS is an exploitable service. Putting it on the firewall makes
> for a firewall you can't trust.
>
> David Gillett
>
>
>
> On 7 May 2001, at 8:25, Alvin Oga wrote:
>
> >
> > hi carl
> >
> > you have secondary dns if the priamry dns machine dies...
> >
> > you usually dont' have a secondary firewall... if it dies...
> > so you are still sol till you fix the firewall
> >
> > I dont necessarily recommend dns to run on the firewall
> > except when absolutely needed
> > ( when i am forced to have only 2 servers...
> > ( and one has to be a firewall... the other server
> > ( would be internally accessed only..
> >
> > your question...if we allow dns on the fw,
> > why NOT other services like smtp, httpd, ftp ???
> > - because....those protocals are NOT required to
> > find the domain called foo.com and direct incoming
> > queries to the proper servers
> > - first you hit the dns server...than the firewall
> >
> > - take away the primary and secondary dns
> > and nobody will find your firewall
> >
> > - it'd be really foolish to add those other services
> > to the firewall
> >
> > - it'd be equally foolish to have "open" firewall rules
> > as is some of the stuff i've seen/heard on the fw
> > acting as if there was not firewall cause they didnt
> > configure it correctly
> >
> > if they only have the budget/"upper management" for 2 systems...
> > my comments would be:
> > - server1: firewall + dns
> > - server2: email/web/pop/etc internal to the firewall
> >
> > - is usually add...dont you have some 486 box that we
> > can make into a fw and another to be the dns server...
> > and use server1 for backups...
> >
> > remember...you cannot find the firewall till you first find
> > the primary or secondary dns...
> > - primary dns should be the same level of lockdown
> > as a firewall or the loghost machines
> >
> > i prefer one server per major function...but one does not
> > always get the $$$ or the time to properly maintain um all
> > - firewall by itself
> > - dns by itself
> > - loghost by itself
> > - email by itself
> > - web by itself
> > - home server by itself
> > - ssh/authentication server
> > - db server by itself
> > - pop3 server by itself
> > - ppp server by itself
> > - ftp server by itself
> > - backup server by itself ( full and separate incremental )
> > - etc..etc...
> >
> > - now how many of us all have these happily separated servers...
> >
> > "itself" -->> no other services running
> > ( it should be separated for various reasons...
> >
> > have fun
> > alvin
> >
> >
> > On Mon, 7 May 2001, Carl E. Mankinen wrote:
> >
> > > You would recommend running DNS daemon on the firewall?
> > >
> > > That sounds pretty scary to me. Lots of reasons why I would not do this:
> > >
> > > Firewall should be locked down as much as humanly possible and all unnecessary
>system files qua
> rantined. It should be as close to an
> > > appliance as you can get it without preventing FW1 from running, this is not
>very conducive to
> running other services. If you agree
> > > to running DNS on your fw, why not other services like SMTP, FTP, HTTP, etc etc?
> > >
> > > What happens in the case of one of those services being compromised or a system
>failure (electr
> ical/mechanical etc) ? Do you end up
> > > rebuilding your firewall or causing an outtage for all those services while you
>fix it? Putting
> your eggs in one basket is a sure
> > > way to end up with no breakfast.
> > >
> > > I think I would prefer using seperate bastion host as DNS server myself.
> > >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
