[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH
Grant Taylor
gtaylor at tnetconsulting.net
Sat May 18 04:33:09 UTC 2019
On 5/17/19 4:50 PM, Ángel wrote:
> No. The client could be making more than one connection and, since
> it has a non-expired dns answer for that host, instead of making a
> superfluous dns query, connect directly, long after your firewall
> considered that it already gave it plenty of time for the *first*
> connection.
Good point.
> If you want to restrict the time the hole is open, you should change
> the returned TTL to an appropriate value. But having the firewall
> rule set to TTL+ε is the right call.
Thank you for the explanation.
I guess the exposure is also somewhat minimized by using a source and
destination IP address pair.
That does make me wonder how QNAMEs with multiple A / AAAA records would
be handled. I assume that you would need to pinhole all IPs or return a
single IP.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190517/33e98a14/attachment.bin>
More information about the dns-operations
mailing list