 Re: Blocking Dynamic DNS update attempts via FW-1 custom INSPECT
Thanks for the compliment!
That's a good point. It's not an optimal configuration to have anything other than a DNS cache to relay requests outside the network, but it's a configuration I know lots of places have (you can thank Microsoft for making AD so DNS-heavy and for lots of "appliance" hardware for requiring direct DNS access rather than using servers). Using UDP DNS protocol enforcement and some of the DNS security features in R60/61 makes things a bit more "safe". |