From owner-freebsd-security  Wed Dec 30 19:52:00 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA13812
          for freebsd-security-outgoing; Wed, 30 Dec 1998 19:52:00 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail-gw2.pacbell.net (mail-gw2.pacbell.net [206.13.28.53])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13807
          for <freebsd-security@freebsd.org>; Wed, 30 Dec 1998 19:51:59 -0800 (PST)
          (envelope-from dean@thegrid.net)
Received: from thegrid.net (ppp-207-214-213-28.sntc01.pacbell.net [207.214.213.28]) by mail-gw2.pacbell.net (8.8.8/8.7.1+antispam) with ESMTP id TAA00198; Wed, 30 Dec 1998 19:49:58 -0800 (PST)
Message-ID: <368AF355.F8AA6397@thegrid.net>
Date: Wed, 30 Dec 1998 19:45:25 -0800
From: Dean <dean@thegrid.net>
X-Mailer: Mozilla 4.04 [en] (Win95; U)
MIME-Version: 1.0
To: Mike Holling <myke@ees.com>, freebsd-security@FreeBSD.ORG
Subject: Re: ipfw and DNS
References: <Pine.BSF.4.03.9812291333110.388-100000@phluffy.fks.bt>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mike Holling wrote:

> I have the same question you do about DNS.  One of my clients is using a
> machine to IP masquerade his LAN onto the Internet via DSL link.  His
> provider believes they will be able to successfully keep people from
> "running servers" by monitoring traffic and probing connected machines.
> Thus, they state that if they detect a DNS server running on his machine
> they will charge him $500/mo extra.  Right now the machine is running a
> local caching server for the LAN, and I can't think of any good way to
> keep external machines from querying it while still allowing responses
> from other DNS servers back in. Please let me know if you get any good
> answers.
>
> Thanks,
>
> - Mike

  That is pretty strange.  I can't think of any way to keep the dns server
secret from the network provider.
    I have an idea about keeping malicious packets from a dns server.  I
have a machine with a ppp connection to my service provider (tun0) and a
ethernet on the inside (ed0).  Suppose I ran a dns server on my gateway.  I
could block port 53 on the tun0 side, but allow them on the ed0 side.  The
only udp packets to let through are those originating from 53.  I know that
this isn't the greatest solution because udp packets with a source port of
53 aren't necessarily from a dns server.  Any input on this scheme?  Thanks,

Dean


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message