RE: DNS -vs- the firewall: security thoughts

["Joe Ippolito - President SVNPA" <joe () joesnet com>]

I just went to a machine that does not have access through a firewall and 
does not have DNS configured but does have the Winsock Proxy client 
enabled.   I typed ping www.yahoo.com and got:
 Reply from 204.71.177.70: bytes=32 time=27ms TTL=246.  (MS Proxy is the 
only machine that is allowed out).
Am I missing something?

-----Original Message-----
From:   Itai Dor-on [SMTP:silicom () netvision net il]
Sent:   Thursday, March 12, 1998 5:56 AM
To:     'Joe Ippolito - President SVNPA'; 'Bennett Todd'; Bret Watson
Cc:     firewall-wizards () nfr net
Subject:        RE: DNS -vs- the firewall: security thoughts



-----Original Message-----
From:   Joe Ippolito - President SVNPA [SMTP:joe () joesnet com]
To:     'Bennett Todd'; Bret Watson
Cc:     firewall-wizards () nfr net
Subject:        RE: DNS -vs- the firewall: security thoughts

I use MS Proxy.  The clients do not need to be configured for an external
DNS only the proxy.  The proxy does the external lookups for them.
 Obviously if they cannot resolve external hosts at all they will not be
able to access anything outside without knowing the IP address.


The clients do need to be configured for an external DNS if they utilize
the Winsock Proxy as it's sole function is to relay Winsock 1.1 calls on
behalf of the client initiating the request. The Web Proxy module is a CERN 
compatible Proxy agent which fully acts on behalf of the client thus
performing name resolution for the HTTP CERN Type calls. Furthermore The
Web Proxy module is the only module in the package whose functionality can
be extended by using  ISAPI.

Cheers,

Itai Dor-on