[148556] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Wed Jan 18 11:35:32 2012
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <CAL9jLaYJNhbp2M_8=mobTHTW8R0cAU5XA=fmTP2q7ZjL4zDPKg@mail.gmail.com>
Date: Wed, 18 Jan 2012 11:34:19 -0500
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick@foobar.org> =
wrote:
>> On 18/01/2012 14:18, Leigh Porter wrote:
>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As =
long
>>> as it is not *my* firewalls I really don't care what they do ;-)
>>=20
>> As you're posting here, it looks like it's become your problem. :-D
>>=20
>> Seriously, though, there is no value to maintaining state for DNS =
queries.
>> You would be much better off to put your firewall production =
interfaces on
>> a routed port on a hardware router so that you can implement ASIC =
packet
>> filtering. This will operate at wire speed without dumping you into =
the
>> colloquial poo every time someone decides to take out your critical
>> infrastructure.
>=20
> I get the feeling that leigh had implemented this against his own
> advice for a client... that he's onboard with 'putting a firewall in
> front of a dns server is dumb' meme...
In principle, this is certainly correct (and I've often said the same =
thing
about web servers); in practice, though, a lot depends on the specs. =
For
example: can the firewall discard useless requests more quickly? Does =
it do
a better job of discarding malformed packets? Is the vendor better =
about
supplying patches to new vulnerabilities? Can it do a better job =
filtering
on source IP address? Does it do load-balancing? Are there other =
services
on the same server IP address that do require stateful filtering?
As I said, most of the time a dedicated DNS appliance doesn't benefit =
from
firewall protection. Occasionally, though, it might.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
