[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Thu, 06 Jul 2006 19:05:28 -0700
Whatchu talkin 'bout Willis?
All the clients have internal DNS set. Internal DNS has root zones. From a
command prompt (or some exploit) they cannot resolve external addresses.
But when you set them as Web Proxy clients, they can, of course, use IE as
the ISA server *does* have DNS configured, and has rules that allow it to
query my external name server and my ISP's server cache (and *only* that
server cache). That works just fine, and always has.
There are a few special cases where I've needed the firewall client (those
are not important to the subject.)
As I have seen in the linked article (and others) a FWC machine will use the
control channel (1745) to query DNS, and the ISA server will proxy that
request even in a shell. I added the "L" parameter to the NameResolution
tag, applied settings, refreshed the client, and it can still resolve
external host names via the ISA server. There is no reason for the client
to be able to do that, and I want to disable that.
t
On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all:
> Wait a minute. How do the Firewall clients reach external resources if
> the ISA firewall cannot perform name resolution on their behalf and the
> clients don't have a DNS server configured on them to resolve names?
>
> For that matter, how do the Web proxy clients resolve external names?
> The mechanism is the same.
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Thursday, July 06, 2006 8:43 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>> resolution over control channel
>>
>> Yep.
>>
>>
>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> spoketh to all:
>>
>>> Did you refresh the Firewall client configuration?
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>> (Hammer of God)
>>>> Sent: Thursday, July 06, 2006 7:17 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>> resolution over control channel
>>>>
>>>> OK- I added the config option with "L" as described, and it
>>>> still doesn't
>>>> stop it. What exactly is the option?
>>>>
>>>> t
>>>>
>>>>
>>>> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>> spoketh to all:
>>>>
>>>>> Tim,
>>>>>
>>>>> You can change this behavior in the FWC configuration settings.
>>>>>
>>>>> Jim will be sad that you didn't read his semenal article on this
>>>>> subject:
>>>>>
>>>>>
>>>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
>>>> ewall_Clie
>>>>> nt.html
>>>>>
>>>>> BTW -- post to the big boys list first ;)
>>>>>
>>>>> Thanks!
>>>>> Tom
>>>>>
>>>>> Thomas W Shinder, M.D.
>>>>> Site: www.isaserver.org
>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>> Book: http://tinyurl.com/3xqb7
>>>>> MVP -- ISA Firewalls
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>>>>>> Sent: Thursday, July 06, 2006 4:03 PM
>>>>>> To: ISA-MVP
>>>>>> Subject: [ISAServer] Firewall client DNS resolution over
>>>>>> control channel
>>>>>>
>>>>>> Greetings:
>>>>>>
>>>>>> As some of you may know, I practice least privilege whenever
>>>>>> possible for
>>>>>> all client access. Part of this strategy includes
>>>>>> configuring internal AD
>>>>>> DNS as root zones (with no possible forwarders.) In this
>>>>>> way, internal
>>>>>> clients can never have non proxy-aware applications resolve
>>>>>> external hosts.
>>>>>> Almost all of my clients are exclusively Web Proxy clients,
>>>>>> which means that
>>>>>> only services available via IE settings can have the DNS
>>>>>> resolution proxied
>>>>>> for them.
>>>>>>
>>>>>> However, in testing access with the Firewall Client, I have
>>>>>> found that no
>>>>>> matter what I do, I cannot restrict a client running the FWC
>>>>>> from resolving
>>>>>> external hosts via the FWC control channel. I have no rules
>>>>>> allowing DNS
>>>>>> access from the internal network, have ensured that the
>>>>>> system policy only
>>>>>> resolves to Domain Controllers for DNS, ensured that only
>>>>>> Local Host can
>>>>>> look up DNS, and have even explicitly denied Internal hosts
>>>>>> from resolving
>>>>>> DNS. Yet, if a system has the FWC on it (and enabled) then
>>>>>> they can resolve
>>>>>> external hosts.
>>>>>>
>>>>>> How do I stop this? An more importantly, are there any other FWC
>>>>>> control-channel policy exclusions that I should know about?
>>>>>>
>>>>>> Thnx
>>>>>> T
>>>>>>
>>>>>>
>>>>>> ---
>>>>>> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
>>>>>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
>>>>>> youremailaddress
>>>>>>
>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
>>>>>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
>>>>>> youremailaddress
>>>>>>
>>>>>> Don't forget the comma!
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
Other related posts:
