Edward Lewis wrote: > At 10:55 +0000 2/19/07, Tony Finch wrote: >> On Mon, 19 Feb 2007, Edward Lewis wrote: >>> >>> 3) I don't buy this as a security risk. I don't think there is a >>> problem >>> here. >> >> It allows you to use a DNS server to tunnel past a firewall. It allows >> you >> to use a DNS server to probe a private network. > > How? > > Let's say I am an iterating server. > > I send out a query > > I get a referral effectively saying to go to 10.1.1.1.
Not if you told the server to recurse. > > I try my query (again) to that address > > Either I will have a 10.1.1.1 locally and it has a port 53 resident DNS > or > I have a 10.1.1.1-enclosing subnet locally > or > I have a default route to the Internet > > case 1 - the server will probably reply with a lame indication > case 2 - the UDP's will dry up in the ether > case 3 - the UDP will be dropped at a border router or the ISP's router > > How would the person that put the 10.1.1.1 address into the DNS benefit > from this in the sense that it compromises my security? > -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
