A DNS Filter and Switch for Packet-filtering Gateways
Bill Cheswick, Lucent Technologies
Steven M. Bellovin, AT&T Research
Abstract
IP-transparent firewalls require access to the external Domain Name
System (DNS) from protected internal hosts. Misconfigurations and
misuse of this system can create internal administrative and security
problems.
Dnsproxy provides access to and protection from untrusted DNS
services. It runs on a firewall, or on a trusted host just inside the
firewall. The program receives (or intercepts) DNS queries and
forwards them to an appropriate internal or external ``realm'' for
processing. The responses can be checked, filtered, and modified
before they are returned to the requester. The logging and consistency
checks can provide information about possible DNS attacks and
irregularities that are not available from most DNS implementations.
View the full text of this paper in
HTML and
POSTSCRIPT (72,686 Bytes) form.
To Become a USENIX Member, please see our
Membership Information.
Need help? Use our Contacts page.
Conference Index