Re: DNS traffic from DMZ to internal network - Is it vulnerable?
From: phn@icke-reklam.ipsec.nu
Date: 11/27/02
- Next message: silent pro: "Whois on akamai related sites?"
- Previous message: Lee: "CMD.exe"
- In reply to: Doug Fox: "DNS traffic from DMZ to internal network - Is it vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: phn@icke-reklam.ipsec.nu Date: Wed, 27 Nov 2002 19:49:03 +0000 (UTC)
In comp.security.misc Doug Fox <dfox168@hotmail.com> wrote:
> A customer has a Check Point FW-1 4.1 SP6 firewall with a DMZ. There is a
> requirement for DNS reverse lookup for a server in the DMZ. He wants to
> allow DNS (53/udp) traffic from the DMZ to access the internal DNS for
> reverse name resolution from the DMZ.
> To make this happen, the firewall rule has to allow DNS (53/udp) traffic
> from DMZ to the internal network. An opinion against this setup is that it
> could allow "intruder" to footprint the internal network?! Is there a way
> to mitigate the risk?
> Any comments are appreciated.
I suppose internal ip's are rfc1918 networks ?
The most practical way is to have a caching-only server on the DMZ itself,
slaving the 1918 nets from inside.
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
- Next message: silent pro: "Whois on akamai related sites?"
- Previous message: Lee: "CMD.exe"
- In reply to: Doug Fox: "DNS traffic from DMZ to internal network - Is it vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
