DNS namespace security
Joseph S D Yao
jsdy at cospo.osis.gov
Wed Dec 27 23:18:30 UTC 2000
On Sat, Dec 23, 2000 at 05:52:35PM +0000, alevey wrote:
> Anyone know if there are any security risks to having both the Internal &
> External network names (ACME.COM for example) the same vs using ACME.COM
> (external) and Corp.ACME.COM (internally)?
No security risks of which I know, but the latter makes it a LOT easier
to organize the names, because if the domains are DIFFERENT, then the
internal name server can query the external one for external names. If
the domain names are the SAME, then you have to copy data from the
external server to the internal one. ;-(
> With having them both the same (ACME.COM ) can someone resolve an IP address
> from a client that makes and external request and ride the IP addr to hack
> into the internal network? ...
It depends on how you are separating internal and external domains. If
it's via an IP filter that some marketer called a firewall, and it's
misconfigured, then of course. If it's via a true proxying firewall,
then no way.
> ..? Or anything else this name scheme could cause
> problems with?
If you lock the door but leave all the screen windows wide open, then
someone can always get in. This is but one part of a total security
package.
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list