[DNSfirewalls] something new in dns firewalls: microsoft dns policy filtering
Robert Edmonds
edmonds at mycre.ws
Wed May 20 01:15:05 UTC 2015
Paul Vixie wrote:
> http://blogs.technet.com/b/networking/archive/2015/05/18/applying-filters-on-dns-queries-using-windows-dns-server-policies.aspx
Interestingly, they allow dropping queries based on the qtype:
Allow only certain QTypes
The white lists can also be applied to QTYPEs. Take a scenario where
for external customers coming on server interface 164.8.1.1 only
certain QTYPEs are allowed to be queried, while there are other
QTYPEs like SRV or TXT records which are used by internal servers
for name resolution or for monitoring purposes
Add-DnsServerQueryResolutionPolicy -Name "WhiteListQType"
-Action IGNORE -QType "NE,A,AAAA,MX,NS,SOA" –ServerInterface
“EQ,164.8.1.1” -PassThru
which I thought was considered a very bad thing to do, e.g.:
note that there may be other ways to achieve the "kaminsky effect"
that do not involve misdirection. [...] or if an ADNS
deterministically never answers some kinds of questions (like
undefined qtypes) [...]
(http://www.ietf.org/mail-archive/web/dnsext/current/msg02498.html)
--
Robert Edmonds
More information about the DNSfirewalls
mailing list