Firewall Wizards mailing list archives
Re: SCADA
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 27 Apr 2009 16:11:21 -0400 (EDT)
On Mon, 27 Apr 2009, Dotzero wrote:
It's not just executable code. I do a DNS lookup to find out where to connect to. The proxy passes the answer. It does not guarantee the
No, a proxy *keeps* the answer, it doesn't pass it to the client, which is why it's the best answer- otherwise tunneling over DNS is trivial.
answer is correct. And for those who would point to DNSSEC, how many domains currently sign? When will the root sign? When will .com sign?
If the proxy goes to the roots, then the only potential point of compromise is the ansering domain's DNS server- if you can pwn there, you can probably pwn whatever it is that the client wants to get to. A very minimal risk in my book. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCADA, (continued)