FYI - IP tunnelling via DNS
Brad Knowles
blk at skynet.be
Tue Sep 12 08:28:24 UTC 2000
At 11:03 AM +1100 2000/9/12, Darren Reed wrote:
> The only defence I can see against it, at present, is to not allow internal
> systems to even make DNS queries for things outside your domain of control.
> This, in effect, forces you to implement a proxy-only firewall where the
> firewall itself is the only thing generating DNS packets which go out onto
> the Internet.
Hmm. Are there ways to make even proxy-only firewalls generate
that same DNS traffic indirectly, and perhaps leak the results to the
internal compromised system?
--
These are my opinions -- not to be taken as official Skynet policy
======================================================================
Brad Knowles, <blk at skynet.be> || Belgacom Skynet SA/NV
Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124
Phone/Fax: +32-2-706.13.11/12.49 || B-1140 Brussels
http://www.skynet.be || Belgium
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
More information about the bind-workers
mailing list