Date: Wed, 30 Dec 1998 19:45:25 -0800 From: Dean <dean@thegrid.net> To: Mike Holling <myke@ees.com>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DNS Message-ID: <368AF355.F8AA6397@thegrid.net> References: <Pine.BSF.4.03.9812291333110.388-100000@phluffy.fks.bt>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Holling wrote:
> I have the same question you do about DNS. One of my clients is using a
> machine to IP masquerade his LAN onto the Internet via DSL link. His
> provider believes they will be able to successfully keep people from
> "running servers" by monitoring traffic and probing connected machines.
> Thus, they state that if they detect a DNS server running on his machine
> they will charge him $500/mo extra. Right now the machine is running a
> local caching server for the LAN, and I can't think of any good way to
> keep external machines from querying it while still allowing responses
> from other DNS servers back in. Please let me know if you get any good
> answers.
>
> Thanks,
>
> - Mike
That is pretty strange. I can't think of any way to keep the dns server
secret from the network provider.
I have an idea about keeping malicious packets from a dns server. I
have a machine with a ppp connection to my service provider (tun0) and a
ethernet on the inside (ed0). Suppose I ran a dns server on my gateway. I
could block port 53 on the tun0 side, but allow them on the ed0 side. The
only udp packets to let through are those originating from 53. I know that
this isn't the greatest solution because udp packets with a source port of
53 aren't necessarily from a dns server. Any input on this scheme? Thanks,
Dean
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?368AF355.F8AA6397>