DNS rebinding: prevention?

Mordechai T. Abzug morty+bind at frakir.org
Fri Aug 3 16:10:17 UTC 2007

Is there a way to get bind in caching mode to prevent DNS answers from
external DNS servers that include RR rdata with internal IPs and
internal hostnames?  [Question originally asked on dc-sage by Peter

This would be to prevent DNS rebinding.  Information about DNS


If this is not a feature of bind today, can this be added?

Note that there would probably need to be an exception mechanism to
deal with known glue records, delegations to other servers, and other
known valid third-party RRs that point to internal names and IPs.

["match-destinations" has a promising name, but seems to be for DNS
server's own IPs, not for RR rdata.]

- Morty

More information about the bind-users mailing list