Re: DNS -vs- the firewall: security thoughts

["Joseph S. D. Yao" <jsdy () cospo osis gov>]

> But what I want to chop off is the ability of DNS data from the outside,
> from the internet, to slip in through the firewall.
...
> Well, we aren't going to have fingerd getting poked from outside the
> firewall, but the clients _can_ currently resolve internet hosts ---
> even though they don't need that ability, as far as I can tell.
>
> So I want to change things so a user types e.g.
>       host ftp.uu.net
> and they get an _instant_
>       Host not found
> from their authoritative root right next door. No DNS passing through
> the firewall at all.

Easy enough.  Two ways.

(1)  Take an axe.  Apply forcefully to your Internet connection until
     you have a nice air gap between you and the Internet.
[Seriously - if you don't want your systems to resolve Internet host
addresses, why even be connected to the Internet?  Resolving Internet
addresses does NOT mean being able to get to those hosts, or even that
you get the pure unfiltered DNS data, if you have a good proxying
firewall with split-brain DNS.]

(2)  Have your clients resolve via a DNS server which either believes
     itself to be the root, there is no other; or points to a root
     which announces the non-existence of everything else.

If you want your servers to be able to resolve Internet addresses from
some DNS server, but don't want your clients to be able to access said
DNS server, you're going to have to institute some kind of access
controls, either on the server or on a network control device of some
kind.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO Computer Support                                          EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.