Firewall Wizards mailing list archives
Re: DNS -vs- the firewall: security thoughts
From: "Joseph S. D. Yao" <jsdy () cospo osis gov>
Date: Tue, 10 Mar 1998 19:43:01 -0500 (EST)
But what I want to chop off is the ability of DNS data from the outside, from the internet, to slip in through the firewall.
...
Well, we aren't going to have fingerd getting poked from outside the firewall, but the clients _can_ currently resolve internet hosts --- even though they don't need that ability, as far as I can tell. So I want to change things so a user types e.g. host ftp.uu.net and they get an _instant_ Host not found from their authoritative root right next door. No DNS passing through the firewall at all.
Easy enough. Two ways. (1) Take an axe. Apply forcefully to your Internet connection until you have a nice air gap between you and the Internet. [Seriously - if you don't want your systems to resolve Internet host addresses, why even be connected to the Internet? Resolving Internet addresses does NOT mean being able to get to those hosts, or even that you get the pure unfiltered DNS data, if you have a good proxying firewall with split-brain DNS.] (2) Have your clients resolve via a DNS server which either believes itself to be the root, there is no other; or points to a root which announces the non-existence of everything else. If you want your servers to be able to resolve Internet addresses from some DNS server, but don't want your clients to be able to access said DNS server, you're going to have to institute some kind of access controls, either on the server or on a network control device of some kind. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- Re: BIND-8.1.1 w/ "allow-query" OR split-DNS? Matthew Patton (Mar 07)
- DNS -vs- the firewall: security thoughts Bennett Todd (Mar 09)
- Re: DNS -vs- the firewall: security thoughts Paul D. Robertson (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Bret Watson (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Bennett Todd (Mar 10)
- Re: DNS -vs- the firewall: security thoughts Joseph S. D. Yao (Mar 11)
- DNS -vs- the firewall: security thoughts Bennett Todd (Mar 09)