Is DNS behind firewall safe???

Burkhard Weeber B.Weeber at viastore.de
Thu Jan 18 15:51:56 UTC 2001 

So you have set up 2 name servers, right?

One is in the DMZ to serve the internet and one is in the bastion to serve
the internal net.

All you have to do is enable forwarding from the internal name server to the
external one(s) with forward-only option set. You have to open port 53
tcp+udp just between your internal and external servers w/NAT, be sure to
set the udp-timeout to about a minute, sometimes it takes a long time to
resolve lame servers. Now your external name server has to be cracked before
there is a way for the intruder. And since you use NAT only answers to your
query that arrive in time will make it through the firewall; every external
attempt for a zone transfer even from your DMZ name server will crash on the
firewall.

HiH

Burkhard Weeber
viastore systems GmbH
P/O Box 300668
D-70446 Stuttgart
Email: B.Weeber at viastore.de


-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of estark0063 at my-deja.com
Sent: Thursday, January 18, 2001 4:22 AM
To: comp-protocols-dns-bind at moderators.isc.org
Subject: Is DNS behind firewall safe???


When setting up internet routing at our company we found that the
internal DNS servers were blocked from doing queries to external
DNS servers.  The firewall was set up to block internal DNS
servers from originating queries to the internet.

The guy who is supposedly the firewall expert says that letting
these internal servers do lookups is extremely risky!  I haven't
heard of any specific attacks that could effect us.  Has anyone out
there heard of anything???

Here is our setup:

The internal DNS servers are on a non-routable 10.x.x.x internal
network and there is NO nat-translation that points to these
machines.

They are only used for internal lookups - no outside use of these
servers are needed

Can't we just open the appropriate TCP and UDP ports and allow
these servers to do lookups to the internet???  How could anyone
access this machine from the net if there is no translation to it and
it originates all DNS requests (no zone transfers accross the
firewall)???

Thanks for the input.


Sent via Deja.com
http://www.deja.com/

More information about the bind-users mailing list