Date: Fri, 19 Jul 2002 22:43:17 +0200 (CEST) From: Sabri Berisha <sabri@cluecentral.net> To: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= <arvinn@whitebird.no> Cc: <Danny.Carroll@mail.ing.nl>, <bart@dreamflow.nl>, <security@freebsd.org> Subject: RE: ipfw and it's glory... Message-ID: <20020719223957.O61716-100000@doos.cluecentral.net> In-Reply-To: <4181.217.118.33.65.1027110415.squirrel@everlast.whitebird.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 19 Jul 2002, Arvinn L=F8kkebakken wrote:
> >> But it's source port will be 53. So you can put in a rule for that.
> >> Plus it's only 1 or 2 servers so you can put in special rules for
> >> them.
> >
> > Unless you run a local dnscache (which I would do).
>
> So what? The scenario is the same! Even though it's cahing dns info it
> have to go out there to get the info in the first place. Computers on the
> inside segment though doesn't need to get through the firewall to port 53=
,
> but the dns server itself has to!
If you don't run a local dnscache and your external dnscache gets rooted,
someone is able to send false responses to your firewall and thus possibly
'trusting' untrusted hosts.
Additionally, running a local dnscache reduces traffic to your dnsservers,
limiting exposure of what you (or the hosts inside) are doing (no, this
is not security by obscurity).
--=20
Sabri Berisha - www.megabit.nl=09- "I route, therefore you are"
- http://www.fordreallysucks.com/more_info.html -
'that particular feeding of Martijn Bevelander, notorious spammer
and whiney repeat-posting troll, was almost a work of art.' (nanae)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020719223957.O61716-100000>