Firewall Wizards mailing list archives
RE: dns outbound
From: "Buckley, Neil" <buckley () network-1 com>
Date: Mon, 17 May 1999 09:48:32 -0400
Hello, The easiest way to reduce the risk of your udp rule set is to setup a dns relay and allow your internal users to connect to that, which would be in-front of your FW-1 box allowing you to limit inbound and outbound DNS with your rule set/policy. The down side would be that you require some knowledge of bind running on your favorite flavor of UNIX. I don't believe the NT version of Bind is still a supported software???. It goes without saying, but I'll say it anyway extensive hardening of the DNS relay machine is a must, as well as some level of secure admin/authentication(SSH). --Neil -----Original Message----- From: Deepak Vaidya [mailto:dvaidya () clark net] Sent: Thursday, May 13, 1999 4:04 PM To: firewall-wizards () nfr net Subject: dns outbound Hello, This is going to be a stupid question, but I hope someone can answer the question without my being flamed :-(. I have gotten a request to allow all clients behind a firewall to have unrestricted access to dns servers outside the firewall. Can I get help in coming up with pros and cons off doing that. I tried to search the archives but the search page is not working properly. I am not comfortable in allowing udp packets outbound from all systems. If it helps we are using firewall-1. Thanks - Deepak
Current thread:
- dns outbound Deepak Vaidya (May 16)
- Re: dns outbound Lance Spitzner (May 17)
- Re: dns outbound Larry Chin (May 17)
- RE: dns outbound Thomas Crowe (May 18)
- Re: dns outbound Joseph S D Yao (May 17)
- <Possible follow-ups>
- Re: dns outbound David Goldsmith (May 17)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound chuck (May 18)
- Re: dns outbound Ge' Weijers (May 19)
- Re: dns outbound Matt McClung (May 18)
- Re: dns outbound Darren Reed (May 18)
- Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound Deepak Vaidya (May 17)
- Re: dns outbound wyllys (May 18)