Firewall Wizards mailing list archives

Re: dns outbound

From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 18 May 1999 16:52:52 -0700 (PDT)


--- wyllys () reston wcom net wrote:

On 16 May, Robert Graham wrote:

Why the heck would clients need external access to DNS servers?


There are plenty of reasons why internal machines need to resolve
external names.


The original question was not resolving DNS, but actually sending DNS packets
from inside the corporation out to the Internet (bypassing any local DNS
'proxies', if we think of DNS in the same terms as other protocols). 

Some management platforms might want to do this, such as when they set the
"don't recurse" bit in order to check the health of DNS systems. There may also
exist some weird software that bypasses gethostbyname() and does its own DNS
protocol work -- involving starting at the root servers and following them on
down. I can't think of any other application that would want to do this,
though.

I suspect the original query had much the same misunderstanding: people want to
do lookups/reverse lookups, and therefore asked for DNS packets through the
firewall. The probably don't need a firewall, and just want a DNS 'proxy' set
up.

Rob.

_____________________________________________________________
Do You Yahoo!?
Free instant messaging and more at http://messenger.yahoo.com

Current thread:

Re: dns outbound, (continued)
- - - Re: dns outbound Darren Reed (May 18)
    - Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Robert Graham (May 17)
  - Re: dns outbound Deepak Vaidya (May 17)
  - Re: dns outbound wyllys (May 18)
    - Re: dns outbound David Gillett (May 19)
    - Re: dns outbound wyllys (May 21)
    - Re: dns outbound Bennett Todd (May 19)
- RE: dns outbound Frank W. Keeney (May 17)
- Re: dns outbound Bill_Royds (May 17)
- Re: dns outbound Robert Graham (May 19)
- Re: dns outbound Marcelo Barbosa Lima (May 21)