Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Do you use DNS-Objects in Firewall-Rulesets? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Do you use DNS-Objects in Firewall-Rulesets?
Dear SANS-Community,

I'm a Security-Engineer who is interested to hear how you handle "DNS-Objects in Firewallrulesets".
My Question is:
"Do you use DNS-Objects (e.g. www.google.com) in Firewall-Rulesets?"

Let me describe the Question.
I work in a strict environment, we are not allowed to use such DNS-Objects, because somebody could poison DNS. This protects us from DNS-Poiseing, but generates a lot of work.
E.g. google has a lot of IPs behind a DNS-Record, we have to find them all.
If google changes the IPs, the Ruleset must be modified.

So I'm really interested to hear if our approach is totally special and no longer state of the Art or .....
Do you use DNS-Objects (e.g. www.google.com) in Firewall-Rulesets?

regards, Sven
Anonymous

The concern regarding DNS spoofing is warranted. However, you have to decide how much of a risk it is. As for sites like Google: The heavy use of CDNs and cloud services makes IP based whitelisting pretty hard these days. Once you whitelist Amazon's cloud, Akamai and Google, you also whitelist a lot of malware hosted on either of these services.

You need to be a bit careful how your firewall interprets host names. Some only look it up when they load the rules, others properly obey TTLs and keep the IP addresses up to date.

Threatstop is a company that uses DNS objects to propagate blacklists and it works rather well for them (you can for example get our Top 20 block list for free from them). See threatstop.com
Anonymous

-
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!