Re: IP over DNS.

["Alex Goldney" <agoldney () qantas com au>]

Well,
            you could avoid a full proxy based firewall, you just need to ensure
you use a split DNS configuration with appropriately crafted PF rules to ensure
all DNS traffic must go through your DNS proxy.  That doesn't preclude you from
letting other traffic in/out without proxying.  Of course, you might still want
to use a proxy based firewall in any case :-)

Alex.




From: Darren Reed <avalon () coombs anu edu au> on 12/09/2000 00:10 GMT

To:   firewall-wizards () nfr net
cc:    (bcc: Alex Goldney/SYD/QANTAS)
Subject:  [fw-wiz] IP over DNS.



I'm surprised nobody has mentioned IP over DNS here yet -
afterall, it's on /. ;-)

http://nstx.dereference.de/nstx/

Is the particular implementation in this instance.

- there's some more work there for IDS people ;_)

The biggest problem is that without doing bad things to
DNS*, you can't stop this from being setup without putting
in place a full proxy based firewall.  Why ? In order for
a packet filter firewall to work, hosts inside need to be
able to get outside address information and that's what
we need to deny people in order to stop the above.

Does this spell the end of packet filtering for high
security firewalls ?

Darren
* - bad things includes filtering out certain types of DNS
packets such as TXT records.

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards







_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards