spf-discuss
[Top] [All Lists]

Re: Additional security considerations

2004-07-11 09:57:26
[Meng Weng Wong]

On Sat, Jul 10, 2004 at 10:51:59PM +0300, Andrew G. Tereschenko wrote:
| This will result in DNS request packets sent to internal network.
| Based on firewall/online status such a DNS requests will be denied fast
or
| timed out.
|
| Any ideas how we can prevent/workaround this ?

My response to these kinds of scenarios is:

  http://www.imc.org/ietf-mxcomp/mail-archive/msg02245.html


I do not get your point.
I'm not talking about DoS or server resource hog attacks.

SPF allow to reveal information about internal network structure.

I would like you to add additional notes in security consideration like a:

--
It's recomended to contact only publicy accessible DNS servers to answer all
queries generated during verification.
As part of this -
a) It's not recomended to contact DNS servers serving your private company
DNS data
(like an Active Directory or internal DNS zones)
b) All queries addressed on internal  mashines inside your  company must be
prevented.
SPF implementation must provide a way to block all DNS queries addressed on
private IP ranges
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16
--

Thanks
--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua