From owner-freebsd-security Mon Aug 23 15:57:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 14A9D14E3F for ; Mon, 23 Aug 1999 15:57:21 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id QAA04176; Mon, 23 Aug 1999 16:56:55 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id QAA02724; Mon, 23 Aug 1999 16:56:55 -0600 Date: Mon, 23 Aug 1999 16:56:55 -0600 Message-Id: <199908232256.QAA02724@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Ollivier Robert Cc: freebsd-security@FreeBSD.ORG, Nate Williams Subject: Re: IPFW/DNS rules In-Reply-To: <19990824003538.A27031@keltia.freenix.fr> References: <199908231935.NAA01122@mt.sri.com> <199908232012.NAA36075@gndrsh.dnsmgr.net> <199908232024.OAA01685@mt.sri.com> <19990824003538.A27031@keltia.freenix.fr> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > This seems insecure to me. Any external host can connect to port 53 on > > your internal hosts. Also, internal hosts can 'leak' information out > > externally. > > If you don't want to leak information, use a double DNS. The method is > described in B. Chapman's book on firewalls. > > It is fairly, you have two machines, one serving the external DNS with only a > few records and another one, serving the inside DNS. The external machine is > _client_ of the internal DNS and the internal DNS is forwarding every query > that it doesn't know about to the external one. > > That way, you can't leak information. > > Beware that you'll find DNS info in the Received: headers added by your > mailservers. Yep, but the mailserver information isn't anything I'm not already exposing via MX records and such. > You can do it on one machine if you use a very recent bind version because it > can bound specific interfaces so you can run two instances of bind. Interesting. Sounds like I need to get the new BIND/TCP book from O'Reilly and the Chapman firewall book. Thanks to all, this was an interesting learning experience for me... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message