Making DNS request to the Internet

Making DNS request to the Internet

am 20.05.2006 04:36:44 von boomboom999

Hi,

Is it considered a good security practice to not allow Active Directory
Domain Controlles making direct DNS requests to the Internet?

I have read about different DNS responses attacks that can help an
attacker to take control of the DC via an incorrect DNS response
(buffer overflow etc.).

Would it be more secure to use DNS forwarders?
If yes, where we should place them? Into DMZ?

Thank you

Re: Making DNS request to the Internet

am 20.05.2006 04:54:35 von unknown

Post removed (X-No-Archive: yes)

Re: Making DNS request to the Internet

am 20.05.2006 05:10:46 von boomboom999

What could you say about the vulnerabilities mentioned below?

Domain Name System (DNS) stub resolver libraries vulnerable to buffer
overflows via network name or address lookups

http://www.kb.cert.org/vuls/id/844360

Re: Making DNS request to the Internet

am 20.05.2006 05:19:21 von Barry Margolin

In article ,
Leythos wrote:

> In article <1148092604.701427.200080@g10g2000cwb.googlegroups.com>,
> boomboom999@yahoo.com says...
> > Hi,
> >
> > Is it considered a good security practice to not allow Active Directory
> > Domain Controlles making direct DNS requests to the Internet?
> >
> > I have read about different DNS responses attacks that can help an
> > attacker to take control of the DC via an incorrect DNS response
> > (buffer overflow etc.).
> >
> > Would it be more secure to use DNS forwarders?
> > If yes, where we should place them? Into DMZ?
>
> If you've got the capital to setup a dedicated DNS server to do the
> work, more power to you.

Even if you don't, you can always forward to your ISP's caching servers.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: Making DNS request to the Internet

am 20.05.2006 08:09:33 von comphelp

boomboom999@yahoo.com writes:

> What could you say about the vulnerabilities mentioned below?
>
> Domain Name System (DNS) stub resolver libraries vulnerable to buffer
> overflows via network name or address lookups
>
> http://www.kb.cert.org/vuls/id/844360

I personally don't think much of this 4 year old issue other than
using it as a reminder that one must always keep their DNS server
patched.

And, by the by, if anyone is still BIND 4 in security landscape of
2006, you're an idiot.

Best Regards,
--
Todd H.
http://www.toddh.net/