full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] DNS forward only: why

Re: [Full-disclosure] DNS forward only: why does it help?

From: Florian Weimer <fw_at_nospam>
Date: Thu Aug 14 2008 - 12:29:15 GMT
To: Paul Szabo <psz@maths.usyd.edu.au>

  • Paul Szabo:

> As a workaround, it is recommended to set DNS servers to forward only.
> Can someone explain why that helps?

It helps if the network between recursor and forwarder is trusted. If it's not, the attacker must still obtain the IP addresses involved and the forwarder source port, which doesn't immediately leak to the attacker. So automated attacks are somewhat less likely.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/