Re: dns outbound

[Robert Graham <robert_david_graham () yahoo com>]

--- Deepak Vaidya <dvaidya () clark net> wrote:
> I have gotten a request to allow all clients behind a firewall to have
> unrestricted access to dns servers outside the firewall.  

The first answer of any firewall admin should be "only the paranoid survive".

Why the heck would clients need external access to DNS servers? Barring the
occasional network management application, there should be no reason a client
needs direct access to a DNS server (that I can think of). This sounds like a
program written in a clueless manner that isn't knowledgeable of proxies,
firewalls, et al. Enabling the application might be asking for trouble, beyond
the immediate risk.

Or, is it simply that you want to run SOCKS clients and simply need the ability
for internal machines to resolve names to addresses? You don't need direct
access to DNS servers, you simply proxy outgoing DNS requests with your own DNS
server.

> I am not comfortable in allowing udp packets outbound from all systems.
> If it helps we are using firewall-1.

I've seen a fair amount of Back Orifice using port 53. Furthermore, anything
but stateful packet filters justs asks for a hacker to use port 53 on their end
in order to bypass your filter rules. I've successfully TCP scanned some sites
using this technique.

Rob.


_____________________________________________________________
Do You Yahoo!?
Free instant messaging and more at http://messenger.yahoo.com