<stuff deleted>
> * Firewall runs bind-8.1.2
> * Badguy controlling external DNS server puts in huge A record for common
> destination in an attempt to generate buffer overflow exploit on remote hosts
Hmmm, could you refresh my memory on thisone ? I can't recall the
nature of this exploit. Perhaps I can make some intelligent comment
and not look like a putz.
> * Internal (say, WinNT) user looks up host
> * Firewall does lookup and returns result to WinNT host
> * exploit occurs on internal host.
> With no transparent proxies - only manual ones - this couldn't happen as the
> internal host would never do an Internet lookup.
Hmmm, no I don't think so. AFAIK, a transparent proxy is "transparent"
only in that the end user doesn't have to configure their machine to say
"use proxy". The firewall proxy still operates by taking traffic from
the end user, and then resending it from the firewall.
Whether you are using transparent or non-transparent proxies, with a
split brain DNS your internal clients should all be pointing at your
internal DNS server. The server would then take care of obtaining the
requested information. In this way there is a total disconnect between
the requesting end user's machine and the outside world.
You could still get DNS poisoning etc. I guess, but I can't think of any
way that a remote exploit could be launched against an end user, but as
I mentioned maybe you could refresh my memory.
< more stuff deleted>
===================================================================
Larry Chin {[EMAIL PROTECTED]} Technical Specialist - ISC
Sprint Canada 2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693 Suite 200, North York, Ontario
Fax: 416.498.3507 M2J 5E6
===================================================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
