DNS rebinding: prevention?
Chris Buxton
cbuxton at menandmice.com
Fri Aug 3 16:50:28 UTC 2007
named would have to check the address of each A or AAAA record coming
from the outside to see if it refers to an internal address. I don't
believe any name server can do this currently. This seems to be more
a job for an application-level firewall that can fully inspect the
contents of DNS messages and filter based on their contents.
Chris Buxton
Men & Mice
On Aug 3, 2007, at 9:10 AM, Mordechai T. Abzug wrote:
> Is there a way to get bind in caching mode to prevent DNS answers from
> external DNS servers that include RR rdata with internal IPs and
> internal hostnames? [Question originally asked on dc-sage by Peter
> Watkins.]
>
> This would be to prevent DNS rebinding. Information about DNS
> rebinding:
>
> http://www.hackszine.com/blog/archive/2007/08/
> dns_rebinding_how_an_attacker.html
> http://crypto.stanford.edu/dns/
>
> If this is not a feature of bind today, can this be added?
>
> Note that there would probably need to be an exception mechanism to
> deal with known glue records, delegations to other servers, and other
> known valid third-party RRs that point to internal names and IPs.
>
> ["match-destinations" has a promising name, but seems to be for DNS
> server's own IPs, not for RR rdata.]
>
> - Morty
>
>
More information about the bind-users
mailing list