| This will result in DNS request packets sent to internal network.
| Based on firewall/online status such a DNS requests will be denied fast or
| timed out.
|
| Any ideas how we can prevent/workaround this ?
My response to these kinds of scenarios is:
http://www.imc.org/ietf-mxcomp/mail-archive/msg02245.html
Don't be so nieve as to think that deciding who's a "good guy" versus
"bad guy" is any excuse for proper security. Andrew has very good
points.
The standard needs is to be very specific about the security
considerations, even if you have no solutions for them yet.
I don't see any easy way to fix the DNS relay issue without removing
functionality of "exists". One way might be to require that some
particular string is found in the hostname (eg "spf-exists"), which
would prevent you from using it to scan arbitrary hosts. That does
limit its usefulness for checking existing blackhole lists, though.
-jim