Solved: DNS resolution on PIX

rakeshsharma3000 · ‎07-12-2004

Do you think there is a possibility of support of domain names in access-list rather than by IP. Infact it is not only for access-list but the possibility of use of it throughout the config.

If not, is there any security concern for it since there are some competitor products in market which can do the same. Is there any way we can show some drawback of DNS resolution in firewall.

scoclayton · ‎07-12-2004

We are adding a name resolution client to the next version of PIX code (version 7.0) however, indications at this time are that it will not be used for name resolution in access-lists. In my opinion, name resolution is one of the more trivial items to spoof. Spoofing the DNS reply and giving false information is an easy way to circumvent your security policies. Just my thoughts.

Scott

View solution in original post

scoclayton · ‎07-12-2004

We are adding a name resolution client to the next version of PIX code (version 7.0) however, indications at this time are that it will not be used for name resolution in access-lists. In my opinion, name resolution is one of the more trivial items to spoof. Spoofing the DNS reply and giving false information is an easy way to circumvent your security policies. Just my thoughts.

Scott

ehirsel · ‎07-12-2004

The biggest drawback is what if the dns system is offline or is spoofed. In the spoofed, or forged, case misleading dns records can cause your firewall to process and route when you may not want it to.