Adding DNS ALG support to Bind?
Dave Warren
davew at hireahit.com
Tue Nov 3 02:48:36 UTC 2015
On 2015-11-02 15:03, Carl Byington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 2015-10-30 at 12:38 -0400, Bill wrote:
>> >What I would like to do to have the ability to query a DNS server
>> >located behind a NAT, and have it return the IP of the NAT, and setup
>> >connection tracking in the NAT to pass traffic thru to the host behind
>> >the NAT.
> I think that is a bad idea, even if you can get it implemented and
> working.
>
> If I know the names of your hosts (they will eventually be found via
> google or other searches), then I can remotely reconfigure your NAT
> device to allow my attack traffic thru - and all it takes is a simple
> UDP query to your dns server.
And? NAT != firewall. Your firewall would still need to be configured to
permit such a connection, and presumably your NAT environment would need
to be configured to allow it as well.
If that's not desired, one would probably not enable this functionality.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
More information about the bind-users
mailing list