Just a comment, it is common for people to make entries in private DNS for
IP addresses outside their control, not sure about vice versa but it is no
big deal.
I remember this client requirement way back in 2000
It was more like 2 projects in a customer environment with something being
developed here and something being developed there.
the original company was say a site www.xyz.com(whose DNS entry was
unknown to me) with some IP range which was not common to the 2 clients.
more like his DNS had an entry say:
www.xyz.com IN A p.q.r.s
there was an IPSEC tunnel to the place where the p.q.r.s was located and
their servers were not in our control.
and the local client's domain was say: project.clientdomain.com
now because of the way the stuff/application was being built, i had to do
something like
www.xyz.project.clientdomain.com IN A p.q.r.s
now is it right or wrong i dont know, im not a java developer, but this is
what was done back then,
(from what i was given to understand as to why the local client could not
use the other person's DNS was security issues, only the IP addresses were
exposed)
-thanks
Alok
On Mon, 19 Feb 2007 16:44:27 +0530, Edward Lewis <[EMAIL PROTECTED]>
wrote:
At 10:55 +0000 2/19/07, Tony Finch wrote:
On Mon, 19 Feb 2007, Edward Lewis wrote:
3) I don't buy this as a security risk. I don't think there is a
problem
here.
It allows you to use a DNS server to tunnel past a firewall. It allows
you
to use a DNS server to probe a private network.
How?
Let's say I am an iterating server.
I send out a query
I get a referral effectively saying to go to 10.1.1.1.
I try my query (again) to that address
Either I will have a 10.1.1.1 locally and it has a port 53 resident DNS
or
I have a 10.1.1.1-enclosing subnet locally
or
I have a default route to the Internet
case 1 - the server will probably reply with a lame indication
case 2 - the UDP's will dry up in the ether
case 3 - the UDP will be dropped at a border router or the ISP's router
How would the person that put the 10.1.1.1 address into the DNS benefit
from this in the sense that it compromises my security?
--
A revolutionary idea is usually made with sleeves rolled up
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
