Re: DNS Attacks

[Steven Bellovin <smb () cs columbia edu>]

On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:

> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick () foobar org> wrote:
> > On 18/01/2012 14:18, Leigh Porter wrote:
> > > Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
> > > as it is not *my* firewalls I really don't care what they do ;-)
> >
> > As you're posting here, it looks like it's become your problem. :-D
> >
> > Seriously, though, there is no value to maintaining state for DNS queries.
> >  You would be much better off to put your firewall production interfaces on
> > a routed port on a hardware router so that you can implement ASIC packet
> > filtering.  This will operate at wire speed without dumping you into the
> > colloquial poo every time someone decides to take out your critical
> > infrastructure.
>
> I get the feeling that leigh had implemented this against his own
> advice for a client... that he's onboard with 'putting a firewall in
> front of a dns server is dumb' meme...

In principle, this is certainly correct (and I've often said the same thing
about web servers); in practice, though, a lot depends on the specs.  For
example: can the firewall discard useless requests more quickly?  Does it do
a better job of discarding malformed packets?  Is the vendor better about
supplying patches to new vulnerabilities?  Can it do a better job filtering
on source IP address?  Does it do load-balancing?  Are there other services
on the same server IP address that do require stateful filtering?

As I said, most of the time a dedicated DNS appliance doesn't benefit from
firewall protection.  Occasionally, though, it might.


                --Steve Bellovin, https://www.cs.columbia.edu/~smb