Firewall Wizards mailing list archives

Re: IP over DNS.

From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 15 Sep 2000 00:56:38 +1100 (EST)

In some email I received from Matt Cramer, sie wrote:

On Tue, 12 Sep 2000, Darren Reed wrote:

I'm surprised nobody has mentioned IP over DNS here yet -
afterall, it's on /. ;-)

http://nstx.dereference.de/nstx/

Is the particular implementation in this instance.

- there's some more work there for IDS people ;_)

The biggest problem is that without doing bad things to
DNS*, you can't stop this from being setup without putting
in place a full proxy based firewall.  Why ? In order for
a packet filter firewall to work, hosts inside need to be
able to get outside address information and that's what
we need to deny people in order to stop the above.

Does this spell the end of packet filtering for high
security firewalls ?


Bah.  Not *ALL* hosts need to be able to get outside address information.
Set up DNS internally, point all your hosts at it.  Allow only your
internal DNS to get past your firewall.  Problem solved.

Plus now you've simplified your network (you know that everyone is using
the same DNS), and saved some bandwidth (lookups chached to your local DNS
no longer traverse the itnernet).


Are you saying mirror the entire internet DNS internally ?

As I pointed out to someone else, forcing people to use a caching only
DNS server does not "fix" this problem as the caching only DNS server
will forward the requests, in full, along whatever path it takes to get
out and the reply will eventually find its way back via those same DNS
servers.

The other important feature is that these replies come back with a TTL
of 0 so your caching name server should not be keeping them in its cache
for very long (and that's ignoring the fact that all the queries going
out and their replies are different).

I think we're stuck with this one like we're stuck with IP over HTTP
(embedded as JPEG/GIF images, if not text).  Oh, how many IDS's (or
firewalls) will handle gzip encoded HTML sent from a web server back
to a browser ?

Darren

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

IP over DNS. Darren Reed (Sep 12)
- Re: IP over DNS. Ryan Russell (Sep 13)
- Re: IP over DNS. Mikael Olsson (Sep 13)
- Re: IP over DNS. Matt Cramer (Sep 13)
  - Re: IP over DNS. Darren Reed (Sep 16)
- <Possible follow-ups>
- Re: IP over DNS. Alex Goldney (Sep 13)
  - Re: IP over DNS. Darren Reed (Sep 13)
- RE: IP over DNS. Frank Knobbe (Sep 16)
- RE: IP over DNS. Bill_Royds (Sep 18)
  - Re: IP over DNS. Darren Reed (Sep 19)