Re: [fw-wiz] SCADA
- From: "Paul D. Robertson" <paul@xxxxxxxxxxxx>
- Date: Mon, 27 Apr 2009 16:11:21 -0400 (EDT)
On Mon, 27 Apr 2009, Dotzero wrote:
It's not just executable code. I do a DNS lookup to find out where to
connect to. The proxy passes the answer. It does not guarantee the
No, a proxy *keeps* the answer, it doesn't pass it to the client, which is
why it's the best answer- otherwise tunneling over DNS is trivial.
answer is correct. And for those who would point to DNSSEC, how many
domains currently sign? When will the root sign? When will .com sign?
If the proxy goes to the roots, then the only potential point of
compromise is the ansering domain's DNS server- if you can pwn there, you
can probably pwn whatever it is that the client wants to get to. A very
minimal risk in my book.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] SCADA
- From: Dotzero
- Re: [fw-wiz] SCADA
- Prev by Date: Re: [fw-wiz] SCADA
- Next by Date: Re: [fw-wiz] SCADA
- Previous by thread: Re: [fw-wiz] SCADA
- Next by thread: Re: [fw-wiz] SCADA
- Index(es):
Relevant Pages
|
