Date: Mon, 23 Aug 1999 16:56:55 -0600 From: Nate Williams <nate@mt.sri.com> To: Ollivier Robert <roberto@keltia.freenix.fr> Cc: freebsd-security@FreeBSD.ORG, Nate Williams <nate@mt.sri.com> Subject: Re: IPFW/DNS rules Message-ID: <199908232256.QAA02724@mt.sri.com> In-Reply-To: <19990824003538.A27031@keltia.freenix.fr> References: <199908231935.NAA01122@mt.sri.com> <199908232012.NAA36075@gndrsh.dnsmgr.net> <199908232024.OAA01685@mt.sri.com> <19990824003538.A27031@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
> > This seems insecure to me. Any external host can connect to port 53 on > > your internal hosts. Also, internal hosts can 'leak' information out > > externally. > > If you don't want to leak information, use a double DNS. The method is > described in B. Chapman's book on firewalls. > > It is fairly, you have two machines, one serving the external DNS with only a > few records and another one, serving the inside DNS. The external machine is > _client_ of the internal DNS and the internal DNS is forwarding every query > that it doesn't know about to the external one. > > That way, you can't leak information. > > Beware that you'll find DNS info in the Received: headers added by your > mailservers. Yep, but the mailserver information isn't anything I'm not already exposing via MX records and such. > You can do it on one machine if you use a very recent bind version because it > can bound specific interfaces so you can run two instances of bind. Interesting. Sounds like I need to get the new BIND/TCP book from O'Reilly and the Chapman firewall book. Thanks to all, this was an interesting learning experience for me... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908232256.QAA02724>