Firewall Wizards mailing list archives
Re: DNS -vs- the firewall: security thoughts
From: "Paul D. Robertson" <proberts () clark net>
Date: Mon, 9 Mar 1998 15:39:34 -0500 (EST)
On Mon, 9 Mar 1998, Bennett Todd wrote:
I'm currently contemplating a serious redesign, doing away with DNS from the internet altogether. We use _nothing_ but non-transparent proxies on the firewall, so I can't see any good reason why end-user workstations should need to be able to resolve internet hostnames. I'd really love to chop that off altogether; people are getting cleverer about using bizarrely-corrupted DNS data to burgle systems.
I've always been fond of creating my own "internal only" TLDs, it makes it
pretty easy to keep the wandering laptops from pointing at useful hosts,
makes it simple to seperate an internal from an external resource at a
glance, and keeps the users thoroughly confused ;)
Blocking external resolution would be a logical step, especially if you're
worried about the DNS being used as an information channel.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts () clark net which may have no basis whatsoever in fact."
PSB#9280
Current thread:
- Re: BIND-8.1.1 w/ "allow-query" OR split-DNS? Matthew Patton (Mar 07)
- DNS -vs- the firewall: security thoughts Bennett Todd (Mar 09)
- Re: DNS -vs- the firewall: security thoughts Paul D. Robertson (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Bret Watson (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Bennett Todd (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Joseph S. D. Yao (Mar 11)
- DNS -vs- the firewall: security thoughts Bennett Todd (Mar 09)