Date: Mon, 12 Jun 2000 21:42:05 -0400 From: Mike Tancsa <mike@sentex.net> To: Hugh Ho <hho321@yahoo.com>, freebsd-security@FreeBSD.ORG Subject: Re: IPFW rules for DNS? Message-ID: <4.2.2.20000612213940.036c4ec0@mail.sentex.net> In-Reply-To: <20000613014237.10942.qmail@web210.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:42 PM 6/12/2000 -0700, Hugh Ho wrote:
>I need to do nslookup quite often, and I have the following IPFW rules which
>allow nslookup to talk to my ISP's DNS server:
>
> allow udp from ${my_ip} to ${dns_server} 53
> allow udp from ${dns_server} 53 to ${my_ip}
>
>Problem with the above rules is that people can pass IPFW if they use UDP port
>53 with a spoofed IP that matches my ISP's DNS server. Is there a way to
>fix my
>problem?
Sadly no. However, your ISP should be at least blocking spoofed addresses
from the outside world from coming in to their network. But that does not
of course prevent other users from inside from doing so. Make sure bind is
running in its own sandbox in case you are not doing so already.
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administration, mike@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20000612213940.036c4ec0>