FYI - IP tunnelling via DNS

Paul A Vixie vixie at mibh.net
Mon Sep 11 17:31:33 UTC 2000


someone asked privately...

> In a past life we used the firewall as the DNS server and then we didn't
> pass DNS.  It reles on the strength of the DNS implementation on the
> firewall, but that seems easier to control the every box that can talk
> TCP/IP in the environment.

this won't help.  any "firewall complex" (which can involve any number of
packet filtering routers/switches and application-layer gateways) has to
pass TXT queries somehow unless the hosts "inside" are completely
disconnected from the internet.  even in cases where rfc1918 private
addresses are used, the "firewall" still allows dns data (even if handled
by an application layer gateway as in your case) to transit.

the ip tunnel in question was described in terms of a firewall which allows
port 53 traffic to transit.  but it will work just fine even in the case
you describe, where all dns transactions terminate at or originate from the
firewall.

so, your configuration would stop my tftp-on-udp53 trick, but not ip tunneled
over dns.



More information about the bind-workers mailing list