Re: DNS traffic from DMZ to internal network - Is it vulnerable?

From: Doug Fox (dfox168@hotmail.com)
Date: 11/27/02 

From: "Doug Fox" <dfox168@hotmail.com>
Date: Wed, 27 Nov 2002 13:44:15 -0500

Thank you all for great input.

"David" <davidwnh@adelphia.net> wrote in message
news:L%6F9.15709$kO5.2310429@news1.news.adelphia.net...
> Be sure to have 53 TCP blocked which is used for zone transfers. You can
> limit which internal computers have reverse lookups entries if this is
> acceptable, whether or not your internal DNS servers allow zone transfers,
> and tighten access control lists on the DNS servers. For example you could
> tighten your acl's on a per zone basis so that your DMZ server only has
> access to the zone information needed. All of this depends on the extent
of
> your internal network, and your particular setup and requirements. All of
> this would apply to MS DNS servers, however I don't know the acl
limitations
> involved with Bind or some other DNS servers if that is your case. Someone
> else could probably comment about how acl control with Bind could be
> implemented to better protect you if that is your case.
>
> "Doug Fox" <dfox168@hotmail.com> wrote in message
> news:3de4e8a2_1@news1.prserv.net...
> > A customer has a Check Point FW-1 4.1 SP6 firewall with a DMZ. There is
a
> > requirement for DNS reverse lookup for a server in the DMZ. He wants to
> > allow DNS (53/udp) traffic from the DMZ to access the internal DNS for
> > reverse name resolution from the DMZ.
> >
> > To make this happen, the firewall rule has to allow DNS (53/udp) traffic
> > from DMZ to the internal network. An opinion against this setup is
that
> it
> > could allow "intruder" to footprint the internal network?! Is there a
way
> > to mitigate the risk?
> >
> > Any comments are appreciated.
> >
> >
> >
>
>
>

Relevant Pages

  • Re: DNS traffic from DMZ to internal network - Is it vulnerable?
    ... Be sure to have 53 TCP blocked which is used for zone transfers. ... limit which internal computers have reverse lookups entries if this is ... and tighten access control lists on the DNS servers. ... > requirement for DNS reverse lookup for a server in the DMZ. ...
    (comp.security.misc)
  • Re: DNS traffic from DMZ to internal network - Is it vulnerable?
    ... Be sure to have 53 TCP blocked which is used for zone transfers. ... limit which internal computers have reverse lookups entries if this is ... and tighten access control lists on the DNS servers. ... > requirement for DNS reverse lookup for a server in the DMZ. ...
    (comp.security.firewalls)
  • Re: DNS traffic from DMZ to internal network - Is it vulnerable?
    ... > Be sure to have 53 TCP blocked which is used for zone transfers. ... > limit which internal computers have reverse lookups entries if this is ... > and tighten access control lists on the DNS servers. ... >> requirement for DNS reverse lookup for a server in the DMZ. ...
    (comp.security.firewalls)
  • Re: Restricting zone transfer
    ... I have two DNS servers (ns1 and ns2). ... If I want to restrict zone transfers to these two servers only, ...
    (microsoft.public.windows.server.dns)
  • Re: Forwarding or Stub Zones?
    ... My DMZ has approx 30 servers providing various services. ... internet. ... The servers on the DMZ do not query our ISP they query the DNS servers on ...
    (microsoft.public.win2000.dns)