Firewall Wizards mailing list archives

Re: dns outbound

From: Lance Spitzner <spitzner () dimension net>
Date: Mon, 17 May 1999 00:55:18 -0400 (EDT)

On Thu, 13 May 1999, Deepak Vaidya wrote:

I have gotten a request to allow all clients behind a firewall to have
unrestricted access to dns servers outside the firewall.  

Can I get help in coming up with pros and cons off doing that.  I tried to
search the archives but the search page is not working properly.

I am not comfortable in allowing udp packets outbound from all systems.
If it helps we are using firewall-1.


Personally, I do not see any harm in allowing DNS outbound through the
Firewall (UDP).   However, you should have an internal DNS server that 
everyone is using.  To open DNS outbound on Firewall-1, all you need is

Internal - Any - Domain_UDP - Accept

NOTE:
Make sure you are NOT using the default DNS rules in FW-1 Properties settings.

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc

Current thread:

dns outbound Deepak Vaidya (May 16)
- Re: dns outbound Lance Spitzner (May 17)
- Re: dns outbound Larry Chin (May 17)
  - RE: dns outbound Thomas Crowe (May 18)
- Re: dns outbound Joseph S D Yao (May 17)
- <Possible follow-ups>
- Re: dns outbound David Goldsmith (May 17)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
  - Re: dns outbound Marcus J. Ranum (May 18)
    - Re: dns outbound chuck (May 18)
    - Re: dns outbound Ge' Weijers (May 19)
    - Re: dns outbound Matt McClung (May 18)

(Thread continues...)