#If I have missed something let me know...but why in the name of creation
do
#you need 2 DNS servers..let alone 1 outside the firewall????!?!? Like
#leaving a jar of honey sitting near an anthill...
This provides you with a much greater level of protection against DNS
hacks and also gives out the minimum amount of information needed to allow
people to send you mail and get to your web servers.
1. Lately there has been a lot of talk about tunneling any IP traffic
through DNS using TXT records and other things. If I have a hardened DNS
server sitting on my external network that only lists the hosts the
INternet needs to know about then hackers can tunnel anything they want to
through DNS to try to pass by my firewall but it won't do them any good.
Why? because I only allow DNS out the firewall from my internal DNS server
and I only allow replies to queries from the Internet to my DNS server.
All those guys who want to query my name server talk to the name server on
my external network in front of the firewall.
2. Let's say they do get root on my DNS server because there is a new hack
for BIND. All they own is a box on my external network that my firewall
and my internal/dmz networks don't trust.
3. I only need to publish A records, PTR records, NS records, and MX
records that the Internet needs to know about. ALl of my internal DNS
including internal naming conventions and internal IP addresses are not
released to the Internet. They only know the minimum amount about my
network that they need to know.
The whole point to network security is not to create an unassailable
Maginot Line. The point is to make your network bland enough and to give
out such a small amount of information about your network that hackers
ignore it because it looks boring. Most hackers/script kiddies are kinda
like suppressive fire. They only hit the networks that stand up and wave.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
