Re: dns outbound

[Joseph S D Yao <jsdy () cospo osis gov>]

> I have gotten a request to allow all clients behind a firewall to have
> unrestricted access to dns servers outside the firewall.  
>
> Can I get help in coming up with pros and cons off doing that.  I tried to
> search the archives but the search page is not working properly.
>
> I am not comfortable in allowing udp packets outbound from all systems.
> If it helps we are using firewall-1.

First, ascertain what the requesters really WANT, as opposed to what
they think they're asking for.  Is there some strange, obscure reason
that they feel they need direct access to the external DNS servers?
[And, if so, would it suffice to set up a walled-off separate machine
in the FW-1 "DMZ" from which such access were available?]  Or do they
need to be able to resolve data from all external DNS servers?

The latter case is provided by almost every firewall.  I'm not familiar
with what FW-1 does for this.  FWTK and Gauntlet use BIND's 'named' to
provide separate DNS to the inside and outside, especially now that 8.2
allows that for even more cases.  Raptor does the same thing with some
more-limited DNS server of their own.  ANS Interlock does not serve DNS
on the firewall, but has a DNS proxy that allows much the same services,
relying on name servers inside and outside the firewall.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.