[fw-wiz] IP over DNS.

Matt Cramer mscramer@armstrong.com
Tue, 12 Sep 2000 16:51:23 -0400 (EDT)

On Tue, 12 Sep 2000, Darren Reed wrote:

> I'm surprised nobody has mentioned IP over DNS here yet -
> afterall, it's on /. ;-)
> http://nstx.dereference.de/nstx/
> Is the particular implementation in this instance.
> - there's some more work there for IDS people ;_)
> The biggest problem is that without doing bad things to
> DNS*, you can't stop this from being setup without putting
> in place a full proxy based firewall.  Why ? In order for
> a packet filter firewall to work, hosts inside need to be
> able to get outside address information and that's what
> we need to deny people in order to stop the above.
> Does this spell the end of packet filtering for high
> security firewalls ?

Bah.  Not *ALL* hosts need to be able to get outside address information.
Set up DNS internally, point all your hosts at it.  Allow only your
internal DNS to get past your firewall.  Problem solved.

Plus now you've simplified your network (you know that everyone is using
the same DNS), and saved some bandwidth (lookups chached to your local DNS
no longer traverse the itnernet).


Matthew S. Cramer <mscramer@armstrong.com>               Office: 717-396-5032
Lead Security Analyst                                    Fax:    717-396-5590
Armstrong Information Technology Services                Pager:  888-769-9367
Armstrong World Industries, Inc.                         Cell:   717-951-0141