Prev: Security. WPA?/-TKIP /-CCMP
Next: Using a Belkin F5D7230-4 as a n access point with a D-Link Router
From: John Navas on 6 Dec 2008 11:52
On Sat, 6 Dec 2008 07:43:54 -0500, "Bill Kearney"
<wkearney99(a)hotmail.com> wrote in
<brSdnfqFrNQZ7qfUnZ2dnUVZ_r3inZ2d(a)speakeasy.net>:

>>>We live behind a firewall appliance, but I wonder what vulnerability we
>>>might still have?
>
>If your firewall is properly configured it blocks outgoing DNS requests from
>anything other than your internal DNS servers. DNS hijacking has been a
>risk for as long as DNS has existed. If you're serious about security
>you're already on top of this. Sadly, many sites are not serious enough
>about it.

What internal DNS servers? He's probably a home/SOHO user without a DNS
server, in which case that advice isn't workable or helpful. And even
if he did have a DNS server, it could be hijacked the same way if
configured to use DHCP for DNS forwarding.
--
Best regards, FAQ for Wireless Internet: <http://wireless.navas.us>
John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: Lloyd E. Sponenburgh on 6 Dec 2008 12:01
John Navas <spamfilter1(a)navasgroup.com> fired this volley in
news:p4blj413t1na6bfulprtt2ied0mnu04p04(a)4ax.com:

> What internal DNS servers? He's probably a home/SOHO user without a
> DNS server, in which case that advice isn't workable or helpful. And
> even if he did have a DNS server, it could be hijacked the same way if
> configured to use DHCP for DNS forwarding.

No, John. We have a Watchguard Firebox Edge with current updates.

LLoyd


From: John Navas on 6 Dec 2008 12:10
On Sat, 06 Dec 2008 11:01:48 -0600, "Lloyd E. Sponenburgh"
<lloydspinsidemindspring.com> wrote in
<Xns9B6C7A631ECCDlloydspmindspringcom(a)216.168.3.70>:

>John Navas <spamfilter1(a)navasgroup.com> fired this volley in
>news:p4blj413t1na6bfulprtt2ied0mnu04p04(a)4ax.com:
>
>> What internal DNS servers? He's probably a home/SOHO user without a
>> DNS server, in which case that advice isn't workable or helpful. And
>> even if he did have a DNS server, it could be hijacked the same way if
>> configured to use DHCP for DNS forwarding.
>
>No, John. We have a Watchguard Firebox Edge with current updates.

I stand corrected. And you've configured it to only allow DNS queries
from internal DNS servers, which don't use forwarding by DHCP?
--
Best regards, FAQ for Wireless Internet: <http://wireless.navas.us>
John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: Lloyd E. Sponenburgh on 6 Dec 2008 18:22
John Navas <spamfilter1(a)navasgroup.com> fired this volley in
news:pdclj4pfb6gogluam5rtq9hke8sde21kic(a)4ax.com:

> I stand corrected. And you've configured it to only allow DNS queries
> from internal DNS servers, which don't use forwarding by DHCP?

I wouldn't know - I didn't set it up - but I can check.

That's why I asked about the vulnerability in the first place.

LLoyd
From: Bill Kearney on 7 Dec 2008 06:43

"Lloyd E. Sponenburgh" <lloydspinsidemindspring.com> wrote in message
news:Xns9B6C7A631ECCDlloydspmindspringcom(a)216.168.3.70...
> John Navas <spamfilter1(a)navasgroup.com> fired this volley in
> news:p4blj413t1na6bfulprtt2ied0mnu04p04(a)4ax.com:
>
>> What internal DNS servers? He's probably a home/SOHO user without a
>> DNS server, in which case that advice isn't workable or helpful. And
>> even if he did have a DNS server, it could be hijacked the same way if
>> configured to use DHCP for DNS forwarding.
>
> No, John. We have a Watchguard Firebox Edge with current updates.

Well, proof again of how Navas usually (always?) gets it wrong.

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Security. WPA?/-TKIP /-CCMP
Next: Using a Belkin F5D7230-4 as a n access point with a D-Link Router