Adding DNS ALG support to Bind?
davew at hireahit.com
Tue Nov 3 02:48:36 UTC 2015
On 2015-11-02 15:03, Carl Byington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Fri, 2015-10-30 at 12:38 -0400, Bill wrote:
>> >What I would like to do to have the ability to query a DNS server
>> >located behind a NAT, and have it return the IP of the NAT, and setup
>> >connection tracking in the NAT to pass traffic thru to the host behind
>> >the NAT.
> I think that is a bad idea, even if you can get it implemented and
> If I know the names of your hosts (they will eventually be found via
> google or other searches), then I can remotely reconfigure your NAT
> device to allow my attack traffic thru - and all it takes is a simple
> UDP query to your dns server.
And? NAT != firewall. Your firewall would still need to be configured to
permit such a connection, and presumably your NAT environment would need
to be configured to allow it as well.
If that's not desired, one would probably not enable this functionality.
More information about the bind-users