dns tunnels a threat?

nextime at nexlab.it nextime at nexlab.it
Fri Sep 7 06:36:52 UTC 2007


> This looks complicated.
> Using a bad QoS for dns (no more than 10 requests/response in 5 second) 
> + dropping TXT records seem sufficient.
> I don'see why you need an intermediate dns.
> 

It isn't so complicated, it seem more complicated to explain that to
have it.

I need 2 dns cause we want to have auth users permission to use a dns
without any restriction, but we want to have unauth users very
restricted. 

dropping txt isn't enough, adding a bad qos shuld work, but we have to 
work on adding and deleting qos rules when a user login/logout, and 
we don't want to put this work on a wrt54gl, expecially cause on those 
hw we can use only 2.4 kernel for the brcm driver issue with 2.6, and on
2.4 kernel we can't manipulate the conntrack table, so, make
conntracked rules change in semi-realtime isn't doable.

The simple thing to do to solve all those issue is to setup two dns, one
very limited ( only some query permitted, bad qos ) and one very "open"
( no qos, no query dropped/ignore ).

Our little daemon switch between those two dns transparently for the
user.



-- 

Franco (nextime) Lanza
Busto Arsizio - Italy
SIP://casa@casa.nexlab.it

NO TCPA: http://www.no1984.org
you can download my public key at:
http://danex.nexlab.it/nextime.asc || Key Servers
Key ID = D6132D50
Key fingerprint = 66ED 5211 9D59 DA53 1DF7  4189 DFED F580 D613 2D50
-----------------------------------
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D212153574F444E49572045535520454D20454B414D204F54204847554F4E452059415020544F4E4E4143205345544147204C4C4942snlbxq | dc
-----------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070907/4d47ee40/attachment.pgp>


More information about the Chilli mailing list