Date: Tue, 24 Aug 1999 00:35:38 +0200 From: Ollivier Robert <roberto@keltia.freenix.fr> To: freebsd-security@FreeBSD.ORG Cc: Nate Williams <nate@mt.sri.com> Subject: Re: IPFW/DNS rules Message-ID: <19990824003538.A27031@keltia.freenix.fr> In-Reply-To: <199908232024.OAA01685@mt.sri.com>; from Nate Williams on Mon, Aug 23, 1999 at 02:24:01PM -0600 References: <199908231935.NAA01122@mt.sri.com> <199908232012.NAA36075@gndrsh.dnsmgr.net> <199908232024.OAA01685@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
According to Nate Williams: > This seems insecure to me. Any external host can connect to port 53 on > your internal hosts. Also, internal hosts can 'leak' information out > externally. If you don't want to leak information, use a double DNS. The method is described in B. Chapman's book on firewalls. It is fairly, you have two machines, one serving the external DNS with only a few records and another one, serving the inside DNS. The external machine is _client_ of the internal DNS and the internal DNS is forwarding every query that it doesn't know about to the external one. That way, you can't leak information. Beware that you'll find DNS info in the Received: headers added by your mailservers. You can do it on one machine if you use a very recent bind version because it can bound specific interfaces so you can run two instances of bind. > Any good books on this? See the book from Brent Chapman. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990824003538.A27031>