Firewall Wizards mailing list archives
Re: DNS -vs- the firewall: security thoughts
From: Bret Watson <lists () bwa net>
Date: Tue, 10 Mar 1998 08:42:12
At 03:51 9/03/98 -0800, you wrote:
I'm currently contemplating a serious redesign, doing away with DNS from the internet altogether. We use _nothing_ but non-transparent proxies on the firewall, so I can't see any good reason why end-user workstations should need to be able to resolve internet hostnames. I'd really love to chop that off altogether; people are getting cleverer about using bizarrely-corrupted DNS data to burgle systems.
Todd, I'm guessing that you mean you'd like to do away with the ability for a workstation to do its own DNS resolving, not that you want to remove DNS from the 'net -after all we don't want to go back to host files do we :} why not put a DNS at the firewall? have the clients point to the firewall for their requests and have the firewall DNS forward to wherever. If you put the DNS at the firewall into slave mode and run something decent like bind-8 it _shoudl_ be ok... Most of the FW-1 seem to use this system -not great, but better than letting DNS through as you pointed out... Technical Incursion Countermeasures consulting () bwa net http://www.ticm.com/ ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security http://www.ticm.com/about/insider.html
Current thread:
- Re: BIND-8.1.1 w/ "allow-query" OR split-DNS? Matthew Patton (Mar 07)
- DNS -vs- the firewall: security thoughts Bennett Todd (Mar 09)
- Re: DNS -vs- the firewall: security thoughts Paul D. Robertson (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Bret Watson (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Bennett Todd (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Joseph S. D. Yao (Mar 11)
- DNS -vs- the firewall: security thoughts Bennett Todd (Mar 09)