At 10:55 +0000 2/19/07, Tony Finch wrote:
On Mon, 19 Feb 2007, Edward Lewis wrote:
3) I don't buy this as a security risk. I don't think there is a problem
here.
It allows you to use a DNS server to tunnel past a firewall. It allows you
to use a DNS server to probe a private network.
How?
Let's say I am an iterating server.
I send out a query
I get a referral effectively saying to go to 10.1.1.1.
I try my query (again) to that address
Either I will have a 10.1.1.1 locally and it has a port 53 resident DNS
or
I have a 10.1.1.1-enclosing subnet locally
or
I have a default route to the Internet
case 1 - the server will probably reply with a lame indication
case 2 - the UDP's will dry up in the ether
case 3 - the UDP will be dropped at a border router or the ISP's router
How would the person that put the 10.1.1.1 address into the DNS
benefit from this in the sense that it compromises my security?
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
"Two years ago you said we had 5-7 years, now you are saying 3-5. What I
need from you is a consistent story..."
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
