DNS for Internet Firewalls



Similar documents
DNS : Domain Name System

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Attack and Defense Techniques

Use Domain Name System and IP Version 6

Journaling Guide for Archive for Exchange 2007

Response Policy Zones for the Domain Name System (DNS RPZ) By Paul Vixie, ISC (et.al.) 2010 World Tour

CipherMail Gateway Quick Setup Guide

ECE 4321 Computer Networks. Network Programming

- Domain Name System -

Configuring the BIND name server (named) Configuring the BIND resolver Constructing the name server database files

Using the Domain Name System for System Break-ins

Understand Names Resolution

Lab - Observing DNS Resolution

DNS + DHCP. Michael Tsai 2015/04/27

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

QUESTION: 1 Which of the following are valid authentication user group types on a FortiGate unit? (Select all that apply.)

How to Add Domains and DNS Records

File transfer and login using IPv6, plus What to do when things don t work

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Are Firewalls Obsolete? The Debate

Deploying & Configuring a DNS Server on OpenServer 6 or UnixWare 7. Kirk Farquhar

Configuration Examples for the D-Link NetDefend Firewall Series

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

WHM Administrator s Guide

Skywire TCP Socket Examples

DNS. Computer Networks. Seminar 12

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

escan SBS 2008 Installation Guide

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

USHA. Notification Setting. User Manual

Administrator Guide. v 11

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

How to Configure Active Directory based User Authentication

Pass Through Proxy. How-to. Overview:..1 Why PTP?...1

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Creating a master/slave DNS server combination for your Grid Infrastructure

Owner of the content within this article is Written by Marc Grote

Creating Custom Nameservers Contents

Reverse DNS considerations for IPv6

Configuring DNS on Cisco Routers

CMPT 471 Networking II

Host Discovery with nmap

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

Legal Disclaimers. For C-UL Listed applications, the unit shall be installed in accordance with Part 1 of the Canadian Electrical Code.

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

SMTP Settings. Magento Extension User Guide. Official extension page: SMTP Settings. User Guide: SMTP Settings

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Non-authoritative answer: home.web.cern.ch canonical name = drupalprod.cern.ch. Name: drupalprod.cern.ch Address:

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Communications and Networking

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

HOWTO: Set up a Vyatta device with ThreatSTOP in bridge mode

How to launch and defend against a DDoS

Domain Name System (DNS) Fundamentals

Enterprise SysLog Manager (ESM)

Firewall implementation and testing

DNS Session 4: Delegation and reverse DNS. Joe Abley AfNOG 2006 workshop

HOWTO: Set up a Vyatta device with ThreatSTOP in router mode

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

Zimbra :: The Leader in Open Source Collaboration. Administrator's PowerTip #3: June 21, 2007 Zimbra Forums - Zimbra wiki - Zimbra Blog

DNS Resolving using nslookup

MS 10135B Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference

Domain Name Resolver (DNR) Configuration

Services Deployment. Administrator Guide

Technical Support Information Belkin internal use only

How To Guide Edge Network Appliance How To Guide:

Serial Deployment Quick Start Guide

Internet Security [1] VU Engin Kirda

Setting Up Your Assisted Service Plan Dedicated Server

Introduction to DNS and Application Issues related to DNS. Kirk Farquhar

DNS. DNS Fundamentals. Goals of this lab: Prerequisites: LXB, NET

Introduction to Computer Networks

Securing and Accelerating Databases In Minutes using GreenSQL

Configuring Basic Settings

Introduction to the Domain Name System

Proxy Server, Network Address Translator, Firewall. Proxy Server

Step-by-Step Configuration

TCP/IP Network Connectivity and ION Meters

DNS and BIND. David White

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

Network Time Management Configuration. Content CHAPTER 1 SNTP CONFIGURATION CHAPTER 2 NTP FUNCTION CONFIGURATION

No Cloud Allowed. Denying Service to DDOS Protection Services

Troubleshooting Tools

Chapter 8 Monitoring and Logging

How to Configure edgebox as an Server

Lab - Observing DNS Resolution

How to configure MAC authentication on a ProCurve switch

How to Configure Split DNS

Inbound Load Balance. User Manual

Transcription:

DNS for s 1 DNS Security Do not rely on DNS names to make security-related decisions DNS can be spoofed Use IP addresses whenever possible Note that IP addresses can also be spoofed It s just a little harder 2 (C)Copyright, 1997 Marcus J. Ranum, all rights reserved 1

DNS Hiding Hiding DNS does not improve security It is very easy to learn about a network once you ve penetrated it Many other ways for host/address information to leak out Hiding DNS may be necessary if you do not have valid IP addresses Or many unreachable nodes/networks 3 Futility of DNS Hiding (cont) % ping -s 192.239.76.255 PING 192.239.76.255: 56 data bytes 64 bytes from dev.gdb.org (192.239.76.2): icmp_seq=0. time=17. ms 64 bytes from crab.gdb.org (192.239.76.190): icmp_seq=0. time=47. ms 64 bytes from screams.gdb.org (192.239.76.6): icmp_seq=0. time=56. ms 64 bytes from hamlet.gdb.org (192.239.76.134): icmp_seq=0. time=69. ms 64 bytes from thor.gdb.org (192.239.76.47): icmp_seq=0. time=73. ms 64 bytes from oscar.gdb.org (192.239.76.36): icmp_seq=0. time=78. ms... 4 (C)Copyright, 1997 Marcus J. Ranum, all rights reserved 2

Futility of DNS Hiding (cont) From ches@plan9.bell-labs.com Wed Mar 20 17:32 EST 1996 Received: from smartwall.v-one.com (firewall-user@smartwall.v-one.com [206.205.74.11]) by mail.clark.net (8.7.3/8.6.5) with SMTP id RAA08728 for <mjr@clark.net> ; Wed, 20 Mar 1996 17:32:48-0500 (EST) Received: by smartwall.v-one.com; id RAA01262; Wed, 20 Mar 1996 17:28:29-0500 Received: from smartwall.v-one.com (firewall-user@smartwall-internal.vone.com [198.69.135.11]) by uxdev2.v-one.com (8.6.5/8.6.5) with ESMTP id RAA03713 for <mjr@v-one.com>; Wed, 20 Mar 1996 17:42:50-0500 Received: by smartwall.v-one.com; id RAA01253; Wed, 20 Mar 1996 17:28:18-0500 X-UIDL: 827720348.002 From: ches@plan9.bell-labs.com... 5 Typical DNS Environment Server Mail Hub Internal Network 6 (C)Copyright, 1997 Marcus J. Ranum, all rights reserved 3

Hidden DNS Environment Server Mail Hub Internal Network 7 warning!! The following is a really warped solution As ugly as a 2-week old pepperoni pizza (Paul Vixie) Use it only if you are not willing to maintain two separate dns s on the firewall 8 (C)Copyright, 1997 Marcus J. Ranum, all rights reserved 4

External Queries Internal Network 9 Internal->Internal Queries 10 (C)Copyright, 1997 Marcus J. Ranum, all rights reserved 5

Internal->External Queries foo.gov 11 ->Internal Queries zap. 12 (C)Copyright, 1997 Marcus J. Ranum, all rights reserved 6

->External Queries foo.gov 13 DNS Config on for domain Resolv.conf points to internal nameserver domain nameserver 168.143.0.7 14 (C)Copyright, 1997 Marcus J. Ranum, all rights reserved 7

DNS on Inside Nameserver Named.boot has forwarders record All unsolved queries go to firewall cache. /etc/named.ca primary /etc/named.mumble primary 76.239.192.in-addr.arpa /etc/named.mumble.76 primary 77.239.192.in-addr.arpa /etc/named.mumble.77 slave forwarders ; do not contact outside directly 192.239.76.1 ; the firewall primary 0.0.127.in-addr.arpa /etc/named.local 15 (C)Copyright, 1997 Marcus J. Ranum, all rights reserved 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information