USADOTGOV.NET Root Problems?
Danny Mayer
mayer at gis.net
Tue Jul 27 18:45:25 UTC 2010
On 7/26/2010 9:50 AM, Merton Campbell Crockett wrote:
>
> On Jul 25, 2010, at 3:34 PM, Kevin Oberman wrote:
>>
>> And, as tests start to include DNSSEC (and EDNS0) tests, the vendors will
>> likely adjust defaults. Tests for DNSSEC are already appearing on
>> federal systems (not a trivial part of the business) and will likely
>> become general test in the procurement process in the next year.
>>
>> Of course, changing defaults will take longer to change.
>>
>> Now to a more basic question...why the ^@#$ does everyone put STATEFUL
>> firewalls in front of servers. They are a denial of service attack
>> waiting to happen. I don't know of any highly regarded security expert
>> who recommends them and most object to them rather strongly.
>>
>> I will admit to once having stateful firewalls in front of my DNS
>> servers, but after an unfortunate case of a badly written application
>> DOSing ourselves, stateful firewalls have been removed. Yes, the software
>> needed fixing, but the software was not enough to cause any problem for
>> the servers...just the firewall. And, yes, we still have stateless
>> firewalls in front of our DNS servers and other public servers as well
>> as an aggressive IDS/IPS system.
>
> Here! Here! I much prefer using "packet filter" firewalls at the outer
> markers but haven't been able to sway security or my network colleagues.
Just tell them that you need to deploy DNSSEC which will improve
security but cannot do so without fixing the firewall...
Danny
More information about the bind-users
mailing list