DNS rebinding: prevention?

Chris Buxton cbuxton at menandmice.com
Fri Aug 3 16:50:28 UTC 2007


named would have to check the address of each A or AAAA record coming  
from the outside to see if it refers to an internal address. I don't  
believe any name server can do this currently. This seems to be more  
a job for an application-level firewall that can fully inspect the  
contents of DNS messages and filter based on their contents.

Chris Buxton
Men & Mice

On Aug 3, 2007, at 9:10 AM, Mordechai T. Abzug wrote:

> Is there a way to get bind in caching mode to prevent DNS answers from
> external DNS servers that include RR rdata with internal IPs and
> internal hostnames?  [Question originally asked on dc-sage by Peter
> Watkins.]
>
> This would be to prevent DNS rebinding.  Information about DNS
> rebinding:
>
>   http://www.hackszine.com/blog/archive/2007/08/ 
> dns_rebinding_how_an_attacker.html
>   http://crypto.stanford.edu/dns/
>
> If this is not a feature of bind today, can this be added?
>
> Note that there would probably need to be an exception mechanism to
> deal with known glue records, delegations to other servers, and other
> known valid third-party RRs that point to internal names and IPs.
>
> ["match-destinations" has a promising name, but seems to be for DNS
> server's own IPs, not for RR rdata.]
>
> - Morty
>
>



More information about the bind-users mailing list