Firewall Wizards mailing list archives
Re: IP over DNS.
From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 15 Sep 2000 00:56:38 +1100 (EST)
In some email I received from Matt Cramer, sie wrote:
On Tue, 12 Sep 2000, Darren Reed wrote:I'm surprised nobody has mentioned IP over DNS here yet - afterall, it's on /. ;-) http://nstx.dereference.de/nstx/ Is the particular implementation in this instance. - there's some more work there for IDS people ;_) The biggest problem is that without doing bad things to DNS*, you can't stop this from being setup without putting in place a full proxy based firewall. Why ? In order for a packet filter firewall to work, hosts inside need to be able to get outside address information and that's what we need to deny people in order to stop the above. Does this spell the end of packet filtering for high security firewalls ?Bah. Not *ALL* hosts need to be able to get outside address information. Set up DNS internally, point all your hosts at it. Allow only your internal DNS to get past your firewall. Problem solved. Plus now you've simplified your network (you know that everyone is using the same DNS), and saved some bandwidth (lookups chached to your local DNS no longer traverse the itnernet).
Are you saying mirror the entire internet DNS internally ? As I pointed out to someone else, forcing people to use a caching only DNS server does not "fix" this problem as the caching only DNS server will forward the requests, in full, along whatever path it takes to get out and the reply will eventually find its way back via those same DNS servers. The other important feature is that these replies come back with a TTL of 0 so your caching name server should not be keeping them in its cache for very long (and that's ignoring the fact that all the queries going out and their replies are different). I think we're stuck with this one like we're stuck with IP over HTTP (embedded as JPEG/GIF images, if not text). Oh, how many IDS's (or firewalls) will handle gzip encoded HTML sent from a web server back to a browser ? Darren _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- IP over DNS. Darren Reed (Sep 12)
- Re: IP over DNS. Ryan Russell (Sep 13)
- Re: IP over DNS. Mikael Olsson (Sep 13)
- Re: IP over DNS. Matt Cramer (Sep 13)
- Re: IP over DNS. Darren Reed (Sep 16)
- <Possible follow-ups>
- Re: IP over DNS. Alex Goldney (Sep 13)
- Re: IP over DNS. Darren Reed (Sep 13)
- RE: IP over DNS. Frank Knobbe (Sep 16)
- RE: IP over DNS. Bill_Royds (Sep 18)
- Re: IP over DNS. Darren Reed (Sep 19)