Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: RE: DNS -vs- the firewall: security though

RE: DNS -vs- the firewall: security thoughts

Joe Ippolito - President SVNPA (joejoesnet.com)
Wed, 11 Mar 1998 13:37:39 -0800

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Bernhard Schneck: "Re: Proxy firewall design."
Previous message: Joe Ippolito - President SVNPA: "Will you try to sue Bill for false advertising?"
Next in thread: Bennett Todd: "Re: DNS -vs- the firewall: security thoughts"
Reply: Bennett Todd: "Re: DNS -vs- the firewall: security thoughts"
Reply: Bret Watson: "NTp config - for the databases :}"

I use MS Proxy. The clients do not need to be configured for an external
DNS only the proxy. The proxy does the external lookups for them.
Obviously if they cannot resolve external hosts at all they will not be
able to access anything outside without knowing the IP address.

-----Original Message-----
From: Bennett Todd [SMTP:betrahul.net]
Sent: Tuesday, March 10, 1998 4:15 AM
To: Bret Watson
Cc: firewall-wizardsnfr.net
Subject: Re: DNS -vs- the firewall: security thoughts

1998-03-10-05:35:58 Bret Watson:
> I'm guessing that you mean you'd like to do away with the ability for a
> workstation to do its own DNS resolving, not that you want to remove DNS
> from the 'net -after all we don't want to go back to host files do we :}

Oops --- that sounds like what I wrote, but not what I meant. Oops.
Please let me try again.

Absolutely, I want to use DNS on the in-house net. In fact I hope to
dramatically increase the use of DNS, maybe totally phasing out any use
of NIS for hosts data.

But what I want to chop off is the ability of DNS data from the outside,
from the internet, to slip in through the firewall.

About a year back a big fingerd thing went around. As I recall
the nature of the exploit consisted of taking over some
insufficiently-secured DNS primary (_not_ a big chore, a computer can
automate the search for a weak target), add a ridiculously bogus entry
to his data, then provoke the real victim into sending a lookup request
from fingerd to this compromised server. The answer comes back, trips a
buffer-overrun bug, and ka-Boom you're dead.

Well, we aren't going to have fingerd getting poked from outside the
firewall, but the clients _can_ currently resolve internet hosts ---
even though they don't need that ability, as far as I can tell.

So I want to change things so a user types e.g.

host ftp.uu.net

and they get an _instant_

Host not found

from their authoritative root right next door. No DNS passing through
the firewall at all.

-Bennett

Next message: Bernhard Schneck: "Re: Proxy firewall design."
Previous message: Joe Ippolito - President SVNPA: "Will you try to sue Bill for false advertising?"
Next in thread: Bennett Todd: "Re: DNS -vs- the firewall: security thoughts"
Reply: Bennett Todd: "Re: DNS -vs- the firewall: security thoughts"
Reply: Bret Watson: "NTp config - for the databases :}"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:40 CDT