Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Jun 1996 18:33:35 +0200 (MET DST)
From:      J Wunsch <j@uriah.heep.sax.de>
To:        chat@freebsd.org
Cc:        nate@mt.sri.com, roberto@keltia.freenix.fr, nash@mcs.com
Subject:   Re: Firewalling DNS TCP (was Re: IPFW bugs?)
Message-ID:  <199606291633.SAA29276@uriah.heep.sax.de>
In-Reply-To: <199606291507.KAA06356@zen.nash.org> from Alex Nash at "Jun 29, 96 10:07:51 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
(Moved to -chat since it's of political, not technical nature. :)

As Alex Nash wrote:

>    We suggest that sites filter socket 53 (TCP) to prevent domain
>    name service zone transfers.  Permit access to socket 53 (TCP)
>    only from known secondary domain name servers.  This prevents
>    intruders from gaining additional knowledge about the systems
>    connected to your local network.

I think that idea is fundamentally flawed. :-)

I usually transfer DNS zone files if i think this will take load off
my line (e.g. for zones i know i'm referencing quite often).  DNS is a
_public service_, and if local sites have something you can learn from
a DNS zone transfer, this is rather an indication that there's
something else broken at this site.  E.g., they are using a firewall
to hide the administrative chaos they've got in their local network,
and thus don't want you to know about the local hosts -- but of
course, you are a clever Bad Guy, thus you do already know which hosts
they've got and which are vulnerable, and to the least, you know how
to get this information even without the support of their DNS
server. <:)

Further, the above statement is moot if the ``known secondary domain
name servers'' don't do the same policy, and if they are not sure
whether all their ``known secondary domain name servers'' are beyond
suspicion that they do also filter port 53 etc...

``Firewalls are a lame excuse for total lack of local system
administration.'' :)

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606291633.SAA29276>