From owner-freebsd-security  Fri Jul 19 13:43:31 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0C68E37B400
	for <security@freebsd.org>; Fri, 19 Jul 2002 13:43:29 -0700 (PDT)
Received: from doos.cluecentral.net (cluecentral.net [193.109.122.221])
	by mx1.FreeBSD.org (Postfix) with SMTP id DB27F43E3B
	for <security@freebsd.org>; Fri, 19 Jul 2002 13:43:27 -0700 (PDT)
	(envelope-from sabri@cluecentral.net)
Received: (qmail 61946 invoked by uid 1000); 19 Jul 2002 20:43:17 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 19 Jul 2002 20:43:17 -0000
Date: Fri, 19 Jul 2002 22:43:17 +0200 (CEST)
From: Sabri Berisha <sabri@cluecentral.net>
To: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= <arvinn@whitebird.no>
Cc: <Danny.Carroll@mail.ing.nl>, <bart@dreamflow.nl>,
	<security@freebsd.org>
Subject: RE: ipfw and it's glory...
In-Reply-To: <4181.217.118.33.65.1027110415.squirrel@everlast.whitebird.no>
Message-ID: <20020719223957.O61716-100000@doos.cluecentral.net>
X-NCC-Regid: nl.bit
X-No-Archive: yes
Approved: sabri@pfy.nl
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, 19 Jul 2002, Arvinn L=F8kkebakken wrote:

> >> But it's source port will be 53.  So you can put in a rule for that.
> >> Plus it's only 1 or 2 servers so you can put in special rules for
> >> them.
> >
> > Unless you run a local dnscache (which I would do).
>
> So what? The scenario is the same! Even though it's cahing dns info it
> have to go out there to get the info in the first place. Computers on the
> inside segment though doesn't need to get through the firewall to port 53=
,
> but the dns server itself has to!

If you don't run a local dnscache and your external dnscache gets rooted,
someone is able to send false responses to your firewall and thus possibly
'trusting' untrusted hosts.

Additionally, running a local dnscache reduces traffic to your dnsservers,
limiting exposure of what you (or the hosts inside) are doing (no, this
is not security by obscurity).

--=20
Sabri Berisha  - www.megabit.nl=09- "I route, therefore you are"
      - http://www.fordreallysucks.com/more_info.html -
'that particular feeding of Martijn Bevelander, notorious spammer
and whiney repeat-posting troll, was almost a work of art.' (nanae)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message