dns tunnels a threat?

David Bird mem.corruption at gmail.com
Fri Sep 7 11:50:54 UTC 2007


On 9/7/07, nextime at nexlab.it <nextime at nexlab.it> wrote:
>
> SOA and MX shuld be dropped imho.
> Maybe AAAA shuld be added for future improvements with ipv6.


yeah, i think so too...


> is "dnsparanoid" filtering applied only to unauth users?


Oops, actually I named it dnsparanoia -- yes, only for unauth'ed clients.


Maybe this is too many restrictive, i think that a rate limiting for
> something like 4 A/CNAME request, with maybe also not more than
> 100/minute or not more than 10 for the same second level domain every
> minute shuld work.


The rate limiting is pretty easy to do with iptables for all users. This
kind of stuff is well suited for the ip-up/down and connection-up/down
scripts.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070907/244699e1/attachment.htm>


More information about the Chilli mailing list