I'm going to go out on a limb here and guess that it's only the fwtk and directly derived ALGs that do this. You'd lose too much speed for this to be a feature that "modern" firewalls would support. Speed is more important than security, remember? Actually, even with "old" proxies, the only proxies that I thought did this were FTP and SMTP - both of which can stand a reasonable amount of initial latency. It would certainly be stupid with HTTP. Rather than bodge things with hosts entries, I would suggest longer DNS cache TTLs, double resolution only on proxies that don't need low latency and configurable double lookups per proxy. I know that Gauntlet lets you specify whether to lookup hosts on a per-proxy basis... The main intent behind the double lookups (as I understood it) was to catch hosts that were 'suspicious' on the grounds that suspicious hosts were more likely to be up to no good. In other words, the DNS names were not used to allow / deny traffic based on known-bad or known-good names. The double lookup afforded a heuristic to filter out any incoming traffic as 'suspicious' based on a simple test. Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 > -----Original Message----- > From: mouss [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 8 August 2000 1:24 AM > To: [EMAIL PROTECTED] > Subject: [call for opinions] proxies and DNS lookup > > > [introduction] > security proxies (at least those from the fwtk family) start > by double-dns > resolving > the source host [snip] > I'll appreciate your comments. > > > cheers, > mouss - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
