[4427] in WWW Security List Archive
Re: Split DNS - Another way
daemon@ATHENA.MIT.EDU (Anton J Aylward)
Fri Feb 14 12:11:35 1997
Date: Fri, 14 Feb 1997 09:15:44 -0500
To: Matt Larson <matt@acmebw.com>, Kurt Kessel <kkessel@hteinc.com>,
firewalls@GreatCircle.COM
From: Anton J Aylward <anton@the-wire.com>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 03:32 PM 13/02/97 -0500, Matt Larson wrote:
>At 01:57 PM 2/12/97, Kurt Kessel wrote:
>>What if a company let the ISP be the primary DNS for the public network,
>>say mydom.com. Their internal DNS remained the primary for their internal
>>domain, again mydom.com. The trick would be to configure the firewall as
>>a DNS client of both DNS servers (ISP and internal). With the use of
>>proxies and filtering on the FW, no DNS leakage should happen. The proxies
>>should be able to resolve domain names as needed.
>
>What you've described would require modifying the resolver on the firewall
>host, which is exactly Marcus Ranum described in a follow up to your posting.
>
>I know of two major ways (with variations, of course) to solve the split
>DNS problem.
>
>One way gives the firewall name server visibility to the Internet root name
>servers and makes it authoritative for the external version of the
>company's DNS information. The firewall's resolver points to an internal
>name server that is authoritative for the internal version of the company's
>DNS information. This internal name server forwards unresolved queries to
>the firewall name server. Internal resolvers point to the internal name
>server, which either answers the query (for internal host names) or
>forwards it to the firewall's name server (for Internet host names).
[BIG SNIP]
There is another and more important way to consider.
The way the firewall has been designed to work by the people that
manufactured it.
OK, the term 'firewall' is an 'all things to all men' term. Many firewalls
are just (!!) souped up routers (Apologies to Network Systems for the implied
but unwarranted criticism of their excellent product). But if you're
dealing
with something like Gauntlet, Firewall-1, Black-hole, etc, then you should
check how they recommend doing the "split-DNS".
They will probably have already altered the code on the firewall - here I am
making sweeping generalizations again - so that it can do things like
- for example - plug-in to a DNS server at your ISP. So your 'internal'
DNS server can be loaded up with lots of PTR, TXT and HINFO records for
internal
use, and then use a 'forwarders' line to point at the firewall, which has
resolver
code which does hand-off to the external DNS server. This will of course be
matched by another DNS server outside of the firewall supplying the single
set
of DNS records for your domain.
What records? Well, lets keep it simple:
mydom.com. A www.xxx.yyy.zzz
mydom.com. MY 100 mydom.com.
mydom.com MY 200 my friend.com.
and
zzz.yyy.xxx.www PTR mydom.com.
Where www.xxx.yyy.zzz is the internet visible address of the firewall,
which is
running the most crippled SMTP mail receiver practical.
Why am I stating this 'obvious' stuff? Because of the deluge of mail I've
received about not loading up DNS with information which is useful to hackers
on the Internet. I personally believe PTR records should be considered
mandatory,
but many people seem paranoid about them.
Yes, if you're running single DNS with the same server for both internal and
external views, you're disclosing all that information. However the four
records above, with a firewall and split DNS will - if the firewall is set
up properly - allow you to contact sites which want to perform double reverse
lookup for validation. Such as ftp.up.net.
This is all cook-book stuff. As Marcus pointed out, it may need
modification to
your resolver on the firewall. As I pointed out, many vendors have
already done this.
The big GOCHA is the phrase 'if the firewall is set up properly'.
Depending on
how strictly you interpret that, between 50% and 90% of the firewalls I
encounter
as a consult nat specializing in this area are not set up properly.
On the whole, the reason for this is two fold;
1. Lack of planning and policy. The set up is Ad-Hoc, lacks directions
and objectives and is not documenterd as to its what and why.
2. Lack of experienced combined with GUI interfaces. This leads
people to say "Oh, I can understand this". Yes, they can understand
the GUI. Doesn't mean they understand the whys and wherefores of
firewalls.
Did I mention Ignorance? Not stupidity. Lots of the people who've mailed me
on this subject were pretty smart and had reasoned out their objections
very well.
They were simply ignorant of techniques and technologies. Not
specializing in
security and firewalls they cant be expected to keep up to date. That's a
fact of life
in this business. Lots of areas I can't keep up to date in.
I don't imagine this will lay the issue to rest, but I hope it will ease the
load on my mailbox.
For specific details, please see
Brent Chapman and Elizabeth DO. Zwitcky "Building Internet firewalls"
I'll try to get to the rest of my mail this weekend.
/anton
--------------------------------------------------------------------------
Anton J Aylward | Security is not something that comes in
The Strahn & Strachan Group Inc | a self-contained box. It is an attribute
Information Security Consultants | of how you do business and as such
Voice: (416) 494-8661 | needs to be managed carefully.
Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc.
