1999-03-01-23:13:42 Jason Haar:
> I'm setting up a proxy-based firewall, and am tossing up between only
> allowing the DMZ hosts to have access to Internet DNS servers, or allowing
> the internal DNS servers to forward to the DMZ DNS server.
This is my favourite setup: non-transparent proxies running on the firewall,
no external DNS visible inside.
A big reason is that DNS data is untrustworthy, but client SW isn't always
written with that in mind. I'm reminded of a moderately serious wave of
breakins a couple of years back, wherein the intruders would take over a DNS
server somewhere, then launch an attack from that machine against a victim,
and while I don't precisely remember the details (which daemon, I think it was
either talkd or fingerd) the gist was that some daemon did a reverse lookup on
the incoming IP addr, and stuffed the returned result into a fixed-size buffer
without checking it; someone managed to plant a stack-whomp root compromise in
that returned DNS data. Ka-Boom!
Don't let internet DNS data past the bastion host.
Run your own private internal DNS, or a smaller-scale name service like NIS or
NIS+, or just push hosts files around, whatever is the best fit for your net's
size, complexity, diversity, etc. Don't make internet DNS visible.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
