1998-03-10-05:35:58 Bret Watson:
> I'm guessing that you mean you'd like to do away with the ability for a
> workstation to do its own DNS resolving, not that you want to remove DNS
> from the 'net -after all we don't want to go back to host files do we :}
Oops --- that sounds like what I wrote, but not what I meant. Oops.
Please let me try again.
Absolutely, I want to use DNS on the in-house net. In fact I hope to
dramatically increase the use of DNS, maybe totally phasing out any use
of NIS for hosts data.
But what I want to chop off is the ability of DNS data from the outside,
from the internet, to slip in through the firewall.
About a year back a big fingerd thing went around. As I recall
the nature of the exploit consisted of taking over some
insufficiently-secured DNS primary (_not_ a big chore, a computer can
automate the search for a weak target), add a ridiculously bogus entry
to his data, then provoke the real victim into sending a lookup request
from fingerd to this compromised server. The answer comes back, trips a
buffer-overrun bug, and ka-Boom you're dead.
Well, we aren't going to have fingerd getting poked from outside the
firewall, but the clients _can_ currently resolve internet hosts ---
even though they don't need that ability, as far as I can tell.
So I want to change things so a user types e.g.
host ftp.uu.net
and they get an _instant_
Host not found
from their authoritative root right next door. No DNS passing through
the firewall at all.
-Bennett
Received on Mar 10 1998
Intro
