Re: [Full-disclosure] DNS forward only: why does it help?

From: Florian Weimer <fw_at_nospam>
Date: Thu Aug 14 2008 - 12:29:15 GMT
To: Paul Szabo <psz@maths.usyd.edu.au>

Paul Szabo:

> As a workaround, it is recommended to set DNS servers to forward only.
> Can someone explain why that helps?

It helps if the network between recursor and forwarder is trusted. If it's not, the attacker must still obtain the IP addresses involved and the forwarder source port, which doesn't immediately leak to the attacker. So automated attacks are somewhat less likely.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: n3td3v: "Re: [Full-disclosure] Internet attacks against Georgian web sites"
Previous message: Pavel Labushev: "Re: [Full-disclosure] Internet attacks against Georgian web sites"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]