Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: dns outbound
From: Bill_Royds () pch gc ca
Date: Sun, 16 May 1999 22:03:11 -0400
Therre is no need to give everybody access to external DNS servers if you are
running one yourselves. DNS works as a distributed tree structured database.
Each user in your network asks your DNS server which either has an answer in its
cache or asks for the answer from servers that it knows are authoritative for
the domain it is looking for. The server then caches the answer. Allowing each
user to do his/her domain lookup on external servers would slow everybody down
(no cache) and introduce possible attacks by DNS poisoning (some servers return
deliberate wrong answers).

The common way to implement DNS behinbd a firewall is to have 2 DNS servers, one
behind and one in front of (or on) the firewall. This split DNS has the internal
server knowing the details of your internal network host structure and querying
through the firewall to the external one for external records. The external DNS
only has information for your publicly visible hosts (web and mail servers
etc.). It does not query the internal DNS server. The firewall asks its queries
to internal server which returns information useful to firewall such as internal
host names for logging purposes. The users only ask internal server and the
firewall rules only allow internal server to make DNS queries through the
firewall.





Deepak Vaidya <dvaidya () clark net> on 05/13/99 04:03:46 PM

Please respond to Deepak Vaidya <dvaidya () clark net>

To:   firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  dns outbound





Hello,

This is going to be a stupid question, but I hope someone can answer the
question without my being flamed :-(.

I have gotten a request to allow all clients behind a firewall to have
unrestricted access to dns servers outside the firewall.

Can I get help in coming up with pros and cons off doing that.  I tried to
search the archives but the search page is not working properly.

I am not comfortable in allowing udp packets outbound from all systems.
If it helps we are using firewall-1.

Thanks
- Deepak

Attachment: att1.eml
Description:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]