Firewall Wizards mailing list archives

RE: DNS -vs- the firewall: security thoughts

From: "Joe Ippolito - President SVNPA" <joe () joesnet com>
Date: Wed, 11 Mar 1998 13:37:39 -0800

I use MS Proxy.  The clients do not need to be configured for an external 
DNS only the proxy.  The proxy does the external lookups for them. 
 Obviously if they cannot resolve external hosts at all they will not be 
able to access anything outside without knowing the IP address.

-----Original Message-----
From:   Bennett Todd [SMTP:bet () rahul net]
Sent:   Tuesday, March 10, 1998 4:15 AM
To:     Bret Watson
Cc:     firewall-wizards () nfr net
Subject:        Re: DNS -vs- the firewall: security thoughts

1998-03-10-05:35:58 Bret Watson:

I'm guessing that you mean you'd like to do away with the ability for a
workstation to do its own DNS resolving, not that you want to remove DNS
from the 'net -after all we don't want to go back to host files do we :}


Oops --- that sounds like what I wrote, but not what I meant. Oops.
Please let me try again.

Absolutely, I want to use DNS on the in-house net. In fact I hope to
dramatically increase the use of DNS, maybe totally phasing out any use
of NIS for hosts data.

But what I want to chop off is the ability of DNS data from the outside,
from the internet, to slip in through the firewall.

About a year back a big fingerd thing went around. As I recall
the nature of the exploit consisted of taking over some
insufficiently-secured DNS primary (_not_ a big chore, a computer can
automate the search for a weak target), add a ridiculously bogus entry
to his data, then provoke the real victim into sending a lookup request
from fingerd to this compromised server. The answer comes back, trips a
buffer-overrun bug, and ka-Boom you're dead.

Well, we aren't going to have fingerd getting poked from outside the
firewall, but the clients _can_ currently resolve internet hosts ---
even though they don't need that ability, as far as I can tell.

So I want to change things so a user types e.g.

        host ftp.uu.net

and they get an _instant_

        Host not found

from their authoritative root right next door. No DNS passing through
the firewall at all.

-Bennett

Current thread:

RE: DNS -vs- the firewall: security thoughts Joe Ippolito - President SVNPA (Mar 11)
- NTp config - for the databases :} Bret Watson (Mar 12)
  - Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
    - Re: NTp config - for the databases :} Bret Watson (Mar 12)
    - Re: NTp config - for the databases :} Kees Hendrikse (Mar 13)
    - Re: NTp config - for the databases :} Bret Watson (Mar 13)
    - Re: NTp config - for the databases :} Joseph S. D. Yao (Mar 13)
    - Re: NTp config - for the databases :} John Painter (Mar 14)
    - Firewall Audit Programme/checklist Bret Watson (Mar 16)
    - Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 16)
    - Re: Firewall Audit Programme/checklist Chad Schieken (Mar 16)

(Thread continues...)