Yeah, you could proxy DNS and use source address verification. Still, the installation this wasn't a problem.
We were actually limiting access from the internal to external network. So, all DNS requests were only allowed to a target server. (Our servers of course).
Specifically, this was implemented to prevent IP over DNS so users couldn't get passed the firewall.
Yeah... it's stupid we had to police our own staff . If people were doing their jobs... they could have had their fun too. However, this was not
The opulence of the front office door varies inversely with the fundamental
solvency of the firm.
This is why.... (Score:3, Insightful)
After the IP over DNS tunnel came out... it was actually a bit necessary. Our staff would do anything to get out of doing work...
ACLs are not secure (Score:1)
The use of ACLs is not secure because an atacker may spoof easily the IP address.
Is a good way , yes, but not the ONLY and FINAL way to protect our networks.
Re:ACLs are not secure (Score:1)
For what values of easily? (i.e. UDP or TCP?)
Re:ACLs are not secure (Score:2)
We were actually limiting access from the internal to external network. So, all DNS requests were only allowed to a target server. (Our servers of course).
Specifically, this was implemented to prevent IP over DNS so users couldn't get passed the firewall.
Yeah... it's stupid we had to police our own staff . If people were doing their jobs... they could have had their fun too. However, this was not