[Prev][Next][Index][Thread]

Re: PROXY DNS ???



>    the problem is that DNS use UDP datagrams , so when I try to resolve names
>    I connect to one of the root servers and it's reply never get thrue my cisco
>    so I know I can solve it by opening the udp connection ( and I have to open 
>    all ports because there is no way to know on what port will the reply come on

Nope.

 1. There's a source port & a destination port.  One of them will be
    the DNS port.
 2. You can only allow packets coming from the DNS server, and to your
    dns server, and only going to your DNS server on the appropriate
    port.

This is not so true , I cant know on what port will the udp arive , 
the request is on a certain port but the reply is on a different one 
and it is not a dynamic one ... ( I cant know it before the transmit ...). 

my second problem is that my DNS server is also my http server and it is the 
ftp server as well ... I have only one computer on this INTERNET segment .
 
so if I allow UDP datagrams to get in , one can fake a datagram and break in 
my computer ... (nfs and so ...).



-- 
Eddie Harari  - phone: 972-3-6190999
                fax  : 972-3-6190992
                ___________________
                Take A Walk In The Wild Side ...


Follow-Ups: References: