Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

RE: dns outbound
From: "Buckley, Neil" <buckley () network-1 com>
Date: Mon, 17 May 1999 09:48:32 -0400
Hello,

The easiest way to reduce the risk of your udp rule set is to setup a dns
relay and allow your internal users to connect to that, which would be
in-front of your FW-1 box allowing you to limit inbound and outbound DNS
with your rule set/policy.  The down side would be that you require some
knowledge of bind running on your favorite flavor of UNIX.  I don't believe
the NT version of Bind is still a supported software???.  It goes without
saying, but I'll say it anyway extensive hardening of the DNS relay machine
is a must, as well as some level of secure admin/authentication(SSH).

--Neil

-----Original Message-----
From: Deepak Vaidya [mailto:dvaidya () clark net]
Sent: Thursday, May 13, 1999 4:04 PM
To: firewall-wizards () nfr net
Subject: dns outbound



Hello,

This is going to be a stupid question, but I hope someone can answer the
question without my being flamed :-(.

I have gotten a request to allow all clients behind a firewall to have
unrestricted access to dns servers outside the firewall.  

Can I get help in coming up with pros and cons off doing that.  I tried to
search the archives but the search page is not working properly.

I am not comfortable in allowing udp packets outbound from all systems.
If it helps we are using firewall-1.

Thanks
- Deepak

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]