On Fri, 9 Jun 2000, Brian J. Murrell wrote:
> I am contemplating disallowing TCP DNS at my firewall and am wondering
> about what "real world" collateral damage would be caused (examples of
> specific sites and software that would break please -- I have enough
> theory right now).
FWIW, I'd be more worried about UDP based DNS in relation to
vulnerabilities (since spoofing might be an issue and TCP is more
resistant than UDP to spoofing, though DNS does ok in that regard.)
However, you may want to consider placing a more trusted host outside the
firewall and inside a screening router and using that to resolve and log
DNS traffic (logging may be useful for detecting tunnels.) DJB's DNSCache
and associated tool look really interesting for building intermediary
resolvers that are resiliant to attack. The downside is that you have to
worry about securing that machine (Esp. if it's running BIND), the upside
is that you only need to pass one address' DNS traffic to the firewall if
you have it do recursive queries on the behalf of your internal network
(but hopefully not for allcomers.)
If you're using application layer gateways, there's no reason to pass
external DNS inside the firewall at all, since only the proxy server will
need to resolve external addresses.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
