Re: [fw-wiz] SCADA



On Mon, 27 Apr 2009, Dotzero wrote:

It's not just executable code. I do a DNS lookup to find out where to
connect to. The proxy passes the answer. It does not guarantee the

No, a proxy *keeps* the answer, it doesn't pass it to the client, which is
why it's the best answer- otherwise tunneling over DNS is trivial.

answer is correct. And for those who would point to DNSSEC, how many
domains currently sign? When will the root sign? When will .com sign?

If the proxy goes to the roots, then the only potential point of
compromise is the ansering domain's DNS server- if you can pwn there, you
can probably pwn whatever it is that the client wants to get to. A very
minimal risk in my book.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: AD SRV records not shown in delegated child domain
    ... > Proxy or delete the root and have forwarders to the net. ... then of course you would keep or create the Root ... zone. ... ISA server, then you would need to remove that zone and forward from the ...
    (microsoft.public.win2000.dns)
  • Re: [opensuse] NO PROBLEM. zypper does not use proxy settings?
    ... > This file, though readable by root only, contains password in plain test. ... If you can read those files than you have root access and break this system ... E.g. user have a profile for the office, so proxy user and password ...
    (SuSE)
  • Re: AD SRV records not shown in delegated child domain
    ... >> Proxy or delete the root and have forwarders to the net. ... > decide to use Proxy or ISA, which is the more secure resolution to control ... then of course you would keep or create the Root ... > zone. ...
    (microsoft.public.win2000.dns)
  • Re: Help using transparent proxy client or something
    ... However, I have tech savvy individuals using my computer, so I ... would like to give them the equivalent of root access (they like to ... password every two seconds) without allowing them to change the proxy ...
    (comp.os.linux.setup)
  • Re: [SLE] SuSE Watcher question
    ... >> You need to set the proxy settings locally for your regular user. ... I hadn't logged into KDE as root since updating to ... > Am I or my system missing something here? ...
    (SuSE)