Re: SCADA

["Paul D. Robertson" <paul () compuwar net>]

On Mon, 27 Apr 2009, Dotzero wrote:

> It's not just executable code. I do a DNS lookup to find out where to
> connect to. The proxy passes the answer. It does not guarantee the

No, a proxy *keeps* the answer, it doesn't pass it to the client, which is 
why it's the best answer- otherwise tunneling over DNS is trivial.

> answer is correct. And for those who would point to DNSSEC, how many
> domains currently sign? When will the root sign? When will .com sign?

If the proxy goes to the roots, then the only potential point of 
compromise is the ansering domain's DNS server- if you can pwn there, you 
can probably pwn whatever it is that the client wants to get to.  A very 
minimal risk in my book.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards