Re: dns outbound

["Matt McClung" <mmcclung () ndwcorp com>]

So this implies a misconfiguration of a firewall in some cases...  One
argument would be that your firewall should only allow outgoing DNS traffic
from your internal DNS Server (ignoring the fact that it could be spoofed)
and I always advocate an internal HTTP/FTP/ETC proxy server and an associate
firewall ruleset to control outbound access.  I will acknowledge that this
won't cover all solutions, but it will suffice for a very large percentage
of incidents.

The tunneled virus is a very scary thing, and can't be far off!

Matt McClung
Network Security Consultant
Net.Works, Inc.
mmcclung () ndwcorp com
801-595-6200

----- Original Message -----
From: Marcus J. Ranum <mjr () clark net>
To: Ryan Russell <Ryan.Russell () sybase com>; Deepak Vaidya
<dvaidya () clark net>
Cc: <firewall-wizards () nfr net>
Sent: Tuesday, May 18, 1999 6:14 AM
Subject: Re: dns outbound


> Ryan Russell wrote:
> > Another claimed that one of his uses was able to
> > surf the web without having to authenticate on the
> > way out, via the DNS rule.
>
> If you have access to an external system, someplace, you can
> use DNS packets to contain IP packets, or you can set up
> an application-level proxy that tunnels over DNS packets.
> Kind of a lot of work, but a technically knowledgeable person
> behind a firewall that he/she didn't like could do it easily
> enough. This is a basic problem with firewalls: so much
> stuff can be pushed back and forth through them that they're
> very easy to tunnel through. What scares me is the (obvious)
> implication of a "firewall-aware" tunnelling trojan horse/virus
> that opens outgoing connections via HTTP or other protocols
> that firewalls typically allow.
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr