PaulDotCom mailing list archives
DNS access from DMZ
From: abcampa at gmail.com (Albert R. Campa)
Date: Mon, 1 Dec 2008 14:31:22 -0600
Thanks all for the input. Let me modify the scenario as greater understanding has just been aquired ;) This DMZ(internet facing) is not really on the public internet. It is behind the enterprise firewalls and even some WAF protection. The servers are Internet accessible as the ports are open on the enterprise firewalls. These DMZ webservers are seperate from a core Internal trusted network. This core network contains a DNS server, and other datacenter assets. and is sperated by a firewall. So since the 'DMZ' web servers are semi-internal but seperated, should they be allowed to resolve 'internal' servers that they need to communicate with by means of DNS forwarders? Could a hacker penetrate the firewall(port 80)? yes. Could he/she proceed to bypass the WAF, IDPS and compromise a web server? Only to find him/herself still isolated in a firewalled network, but have port 53 access to query only, the internal main DNS/PDC Server? __________________________________ Albert R. Campa 2008/12/1 Tim Krabec <tkrabec at gmail.com>
If you are truly paranoid know that your if your ISP is especially evil they can just handle all the DNS themselves by intercepting DNS traffic after your router. You might want to consider tunneling to a "known" safe location. -- Tim Krabec Kracomp 772-597-2349 smbminute.com kracomp.blogspot.com www.kracomp.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081201/ed16a655/attachment.htm
Current thread:
- DNS access from DMZ Albert R. Campa (Dec 01)
- DNS access from DMZ Paul Asadoorian (Dec 01)
- DNS access from DMZ Mike Patterson (Dec 01)
- DNS access from DMZ Tim Krabec (Dec 01)
- DNS access from DMZ Albert R. Campa (Dec 01)
- DNS access from DMZ Arch Angel (Dec 01)
- DNS access from DMZ Mike Patterson (Dec 01)
- DNS access from DMZ Paul Asadoorian (Dec 01)