Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 30 Dec 1998 22:14:40 -0700
From:      Wes =?iso-8859-1?Q?Peters=D4?==?iso-8859-1?Q?=40=21=EA?= =?iso-8859-1?Q?=80?==?iso-8859-1?Q?=EA?==?iso-8859-1?Q?=80=DD=E7?= =?iso-8859-1?Q?=805=EA?==?iso-8859-1?Q?=C0?==?iso-8859-1?Q?=EA?=  <wes@softweyr.com>
To:        Dean <dean@thegrid.net>
Cc:        Mike Holling <myke@ees.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: ipfw and DNS
Message-ID:  <368B0840.96FC6A6C@softweyr.com>
References:  <Pine.BSF.4.03.9812291333110.388-100000@phluffy.fks.bt> <368AF355.F8AA6397@thegrid.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

Dean wrote:
> 
> Mike Holling wrote:
> 
> > I have the same question you do about DNS.  One of my clients is using a
> > machine to IP masquerade his LAN onto the Internet via DSL link.  His
> > provider believes they will be able to successfully keep people from
> > "running servers" by monitoring traffic and probing connected machines.
> > Thus, they state that if they detect a DNS server running on his machine
> > they will charge him $500/mo extra.  Right now the machine is running a
> > local caching server for the LAN, and I can't think of any good way to
> > keep external machines from querying it while still allowing responses
> > from other DNS servers back in. Please let me know if you get any good
> > answers.
> >
> > Thanks,
> >
> > - Mike
> 
>   That is pretty strange.  I can't think of any way to keep the dns server
> secret from the network provider.

The DSL interface is probably on ethernet.  If your friend is using natd
on a dedicated machine, he could try natd -deny_incoming, which discards
packets bound to the natd machine itself.  Another solution would be
to install ipfw and deny inbound connections to DNS.

-- 
       "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                 Softweyr LLC
http://www.softweyr.com/~softweyr                      wes@softweyr.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?368B0840.96FC6A6C>