Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: dns outbound
From: "David Goldsmith" <dgoldsmi () rappatech com>
Date: Mon, 17 May 1999 07:41:13 EST
I assume this is for name resolution of sites on the Internet.

A better solution would be to have all of your clients point to a DNS server behind the firewall. Set that DNS server 
up as a slave forwarder.

By making it a forwarder, and pointing it to a second DNS server outside of the firewall, you can restrict the UDP port 
53 traffic and responses to just that one machine.

By making it a slave, you force it to only forward requests to the specified forwarder(s). It is NOT allowed to 
directly contact the Internet root servers.

Hope this helps.

R/S

Dave Goldsmith
dgoldsmi () rappatech com
dgoldsmi () erols com

---------- Original Message ----------------------------------
From: Deepak Vaidya <dvaidya () clark net>
Reply-To: Deepak Vaidya <dvaidya () clark net>
Date: Thu, 13 May 1999 16:03:46 -0400 (EDT)




Hello,

This is going to be a stupid question, but I hope someone can answer the
question without my being flamed :-(.

I have gotten a request to allow all clients behind a firewall to have
unrestricted access to dns servers outside the firewall.  

Can I get help in coming up with pros and cons off doing that.  I tried to
search the archives but the search page is not working properly.

I am not comfortable in allowing udp packets outbound from all systems.
If it helps we are using firewall-1.

Thanks
- Deepak

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]