On Tue, 16 Mar 2004 20:44:56 +0100, martin f krafft <madduck@xxxxxxxxxxx> said: > also sprach Valdis.Kletnieks@xxxxxx <Valdis.Kletnieks@xxxxxx> [2004.03.16.1= > 812 +0100]: > > 2) We've got applications making DNS requests that get forwarded > > out to the ISP's servers, where they will almost certainly result > > in either an error reply or a timeout Find ways to use this to > > your advantage. > > I would be interested in how you do that. The obvious is that the usual DNS spoofing hacks often only have a few milliseconds for you to stick in a bogus packet before the real DNS answers - here you have entire seconds to play with. > For ease of maintenance, I have my primary DNS respond with RFC 1918 > addresses for my internal machines. That is, my internal machines > are resolved by a primary DNS server out there on the 'Net, e.g. > sky.madduck.net. I fail to see how this can be a security problem. I know you well enough to know that you almost certainly Got It Right. > I agree that RFC 1918 slipping out by accident could be an > indication of problems in the network, drawing hackers attention > rightfully so. For every one of you, there's probably hundreds of these Getting It Wrong. Bet there's a bunch over at the Dept of the Interior. :)
Attachment:
pgp00051.pgp
Description: PGP signature