At 09:44 AM 5/10/01 +0200, Hiemstra, Brenno wrote:
>You can configure your outside DNS servers (if you are using BIND)
>to allow recursion from a couple of trused hosts.
>
>In the named.conf file just put the following entry:
>
>allow-recursion { ip_addresses_trusted_hosts; };
>(or if the list is getting pretty long then build a simple acl)
Call me paranoid, but DNS being (mostly) UDP based, worries me someone can
spoof a query to make it past your ACLs, they can effectively make your DNS
perform a recursive lookup (remember, to poison a cache you don't need to
see the reply, you only need to be able to make the request)
I prefer to turn it off completely and supply servers dedicated to
recursively answer for hosts which have extra protection than the simple
ACLs in BIND (namely, (good) statefull inspection firewalls.)
(I read somewhere in PIXs statefull inspection of DNS, it allows the first
correct reply back in, whereas FW-1 allows (matching) return packets for a
time period defined in the rulebase properties, for UDP)
Either methods work just fine, it all depends how paranoid you are :^)
Regards,
Chris.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
