Date: Fri, 19 Jul 2002 22:43:17 +0200 (CEST) From: Sabri Berisha <sabri@cluecentral.net> To: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= <arvinn@whitebird.no> Cc: <Danny.Carroll@mail.ing.nl>, <bart@dreamflow.nl>, <security@freebsd.org> Subject: RE: ipfw and it's glory... Message-ID: <20020719223957.O61716-100000@doos.cluecentral.net> In-Reply-To: <4181.217.118.33.65.1027110415.squirrel@everlast.whitebird.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 19 Jul 2002, Arvinn L=F8kkebakken wrote: > >> But it's source port will be 53. So you can put in a rule for that. > >> Plus it's only 1 or 2 servers so you can put in special rules for > >> them. > > > > Unless you run a local dnscache (which I would do). > > So what? The scenario is the same! Even though it's cahing dns info it > have to go out there to get the info in the first place. Computers on the > inside segment though doesn't need to get through the firewall to port 53= , > but the dns server itself has to! If you don't run a local dnscache and your external dnscache gets rooted, someone is able to send false responses to your firewall and thus possibly 'trusting' untrusted hosts. Additionally, running a local dnscache reduces traffic to your dnsservers, limiting exposure of what you (or the hosts inside) are doing (no, this is not security by obscurity). --=20 Sabri Berisha - www.megabit.nl=09- "I route, therefore you are" - http://www.fordreallysucks.com/more_info.html - 'that particular feeding of Martijn Bevelander, notorious spammer and whiney repeat-posting troll, was almost a work of art.' (nanae) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020719223957.O61716-100000>