Firewall Wizards mailing list archives
Re: dns outbound
From: Bennett Todd <bet () newritz mordor net>
Date: Wed, 19 May 1999 13:44:46 +0000
1999-05-18-12:36:30 Wyllys:
Robert Graham:This sounds like a program written in a clueless manner that isn't knowledgeable of proxies, firewalls, et al. Enabling the application might be asking for trouble, beyond the immediate risk.
There are plenty of reasons why internal machines need to resolve external names.
Sure --- and they are often associated with poor programming that leaves you with security problems, as Robert indicated.
One common reason is so that Java applets will run on browsers inside the firewall. Even with an HTTP proxy, many Java applets will not work if they cannot do a reverse DNS lookup on the host that served the applet.
A superb example of Robert's and my point.
If the network is set to have a default route thru the firewall and the users are surfing the web without a proxy, then they will also need to be able to resolv the external hostnames.
If you have that setup, then yes, you should be letting DNS through. That's a very light-security setup, inadequate for protecting anything of importance.
Adding the ability to resolve external hostnames from the inside is not dangerous and can be useful when properly configured.
Adding the ability to resolve external hostnames _is_ dangerous, and can be useful in cases where you don't care about the danger. Until and unless all software that deals with the results of DNS lookups is proof against buffer overruns, people will be able to find ways to burgle client machines that start off "first, take over a DNS server that's authoritative for some zone, then fool the user into referencing that zone with this here client, here's how you do it...". -Bennett
Current thread:
- Re: dns outbound, (continued)
- Re: dns outbound chuck (May 18)
- Re: dns outbound Ge' Weijers (May 19)
- Re: dns outbound Matt McClung (May 18)
- Re: dns outbound Darren Reed (May 18)
- Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Deepak Vaidya (May 17)
- Re: dns outbound wyllys (May 18)
- Re: dns outbound David Gillett (May 19)
- Re: dns outbound wyllys (May 21)
- Re: dns outbound Bennett Todd (May 19)