DNS rebinding: prevention?
Mordechai T. Abzug
morty+bind at frakir.org
Fri Aug 3 16:10:17 UTC 2007
Is there a way to get bind in caching mode to prevent DNS answers from
external DNS servers that include RR rdata with internal IPs and
internal hostnames? [Question originally asked on dc-sage by Peter
Watkins.]
This would be to prevent DNS rebinding. Information about DNS
rebinding:
http://www.hackszine.com/blog/archive/2007/08/dns_rebinding_how_an_attacker.html
http://crypto.stanford.edu/dns/
If this is not a feature of bind today, can this be added?
Note that there would probably need to be an exception mechanism to
deal with known glue records, delegations to other servers, and other
known valid third-party RRs that point to internal names and IPs.
["match-destinations" has a promising name, but seems to be for DNS
server's own IPs, not for RR rdata.]
- Morty
More information about the bind-users
mailing list