Re: DNS traffic from DMZ to internal network - Is it vulnerable?
From: David (davidwnh@adelphia.net)
Date: 11/27/02
- Next message: Mimic: "Re: A Royal Name"
- Previous message: David: "Re: Denial of Service Problems with Linksys Products"
- In reply to: Doug Fox: "DNS traffic from DMZ to internal network - Is it vulnerable?"
- Next in thread: Doug Fox: "Re: DNS traffic from DMZ to internal network - Is it vulnerable?"
- Reply: Doug Fox: "Re: DNS traffic from DMZ to internal network - Is it vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David" <davidwnh@adelphia.net> Date: Wed, 27 Nov 2002 17:10:03 GMT
Be sure to have 53 TCP blocked which is used for zone transfers. You can
limit which internal computers have reverse lookups entries if this is
acceptable, whether or not your internal DNS servers allow zone transfers,
and tighten access control lists on the DNS servers. For example you could
tighten your acl's on a per zone basis so that your DMZ server only has
access to the zone information needed. All of this depends on the extent of
your internal network, and your particular setup and requirements. All of
this would apply to MS DNS servers, however I don't know the acl limitations
involved with Bind or some other DNS servers if that is your case. Someone
else could probably comment about how acl control with Bind could be
implemented to better protect you if that is your case.
"Doug Fox" <dfox168@hotmail.com> wrote in message
news:3de4e8a2_1@news1.prserv.net...
> A customer has a Check Point FW-1 4.1 SP6 firewall with a DMZ. There is a
> requirement for DNS reverse lookup for a server in the DMZ. He wants to
> allow DNS (53/udp) traffic from the DMZ to access the internal DNS for
> reverse name resolution from the DMZ.
>
> To make this happen, the firewall rule has to allow DNS (53/udp) traffic
> from DMZ to the internal network. An opinion against this setup is that
it
> could allow "intruder" to footprint the internal network?! Is there a way
> to mitigate the risk?
>
> Any comments are appreciated.
>
>
>
- Next message: Mimic: "Re: A Royal Name"
- Previous message: David: "Re: Denial of Service Problems with Linksys Products"
- In reply to: Doug Fox: "DNS traffic from DMZ to internal network - Is it vulnerable?"
- Next in thread: Doug Fox: "Re: DNS traffic from DMZ to internal network - Is it vulnerable?"
- Reply: Doug Fox: "Re: DNS traffic from DMZ to internal network - Is it vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
