Firewall Wizards mailing list archives

Re: [BIND-BUGS #18] Non-delegated master domains

From: Bennett Todd <bet () newritz mordor net>
Date: Wed, 12 May 1999 02:32:03 +0000

(taken from bugtraq)

1999-05-10-09:21:17 Ian Carr-de Avelon:

For me this is simply a problem relating to adding MX records with
192.168.xx.xx addresses to internal name servers. Some people may assume
that if they rely on DNS data for their own domains, they are only relying
on the intergrety of their own servers. With BIND 8 this appears not to be
true. If somone can change the delegation of a domain, or make a new domain
like EMIT. or 168.192.IN-ADDR.ARPA., bind 8 will accept the data pointed to
via route servers etc. in place of local master files.
[...]
Replacing names with IPs in every context would be a pain. If nothing
else, producing a fake 168.192.IN-ADDR.ARPA. would be a DOS attack
against thousands of internal services as tcpds would refuse connections.


This is a great thing to know about when designing a firewall layout.

A lot of it can be well controlled against; in high-security settings, I
don't pass DNS data across the firewall at all, and the firewall itself
doesn't use DNS data for any purpose except making outbound connections;
everything else is IP addresses, and it keeps track of what packets come from
where by the interfaces they arrive on. And of course the external screening
router blocks all packets with src and dst addresses in the RFC 1918 ranges
(10/8, 172.16/12, and 192.168/16). I can see using e.g. 192.168.0/24 for
the crossover cable between the external screening router and the outside
interface of the firewall in a small shop that doesn't need a DMZ that can
contain hosts. As long as the firewall doesn't try ane make any use of DNS
data for these addresses I don't think I can see any potential problem there.

Can anybody see anything I'm missing in the above theorizing?

But for sure this is an important warning for people who want to stash
high-security servers on a 192.168 net, behind a firewall from a
light-security public net. If a a DNS server can see the internet, it can't be
trusted to remain authoritative for reverse lookups on 192.168/16 in the face
of a sufficiently clever and determined attack.

-Bennett

Current thread:

Re: [BIND-BUGS #18] Non-delegated master domains Bennett Todd (May 12)
- anti-spoofing (was Non-delegated master domains) Kevin Steves (May 22)