Firewall Wizards mailing list archives
Re: dns outbound
From: wyllys () reston wcom net
Date: Tue, 18 May 1999 08:36:30 -0400 (EDT)
On 16 May, Robert Graham wrote:
--- Deepak Vaidya <dvaidya () clark net> wrote:I have gotten a request to allow all clients behind a firewall to have unrestricted access to dns servers outside the firewall.The first answer of any firewall admin should be "only the paranoid survive". Why the heck would clients need external access to DNS servers? Barring the occasional network management application, there should be no reason a client needs direct access to a DNS server (that I can think of). This sounds like a program written in a clueless manner that isn't knowledgeable of proxies, firewalls, et al. Enabling the application might be asking for trouble, beyond the immediate risk. Or, is it simply that you want to run SOCKS clients and simply need the ability for internal machines to resolve names to addresses? You don't need direct access to DNS servers, you simply proxy outgoing DNS requests with your own DNS server.
There are plenty of reasons why internal machines need to resolve external names. One common reason is so that Java applets will run on browsers inside the firewall. Even with an HTTP proxy, many Java applets will not work if they cannot do a reverse DNS lookup on the host that served the applet. If the network is set to have a default route thru the firewall and the users are surfing the web without a proxy, then they will also need to be able to resolv the external hostnames. Adding the ability to resolve external hostnames from the inside is not dangerous and can be useful when properly configured. -- W. Ingersoll UUNET Reston, VA
Current thread:
- RE: dns outbound, (continued)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound chuck (May 18)
- Re: dns outbound Ge' Weijers (May 19)
- Re: dns outbound Matt McClung (May 18)
- Re: dns outbound Darren Reed (May 18)
- Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound Deepak Vaidya (May 17)
- Re: dns outbound wyllys (May 18)
- Re: dns outbound David Gillett (May 19)
- Re: dns outbound wyllys (May 21)
- Re: dns outbound Bennett Todd (May 19)