DNS rebinding: prevention?
denic at eng.colt.net
Tue Aug 7 12:24:50 UTC 2007
On 07.08.2007, at 09:46, Mordechai T. Abzug wrote:
> On Tue, Aug 07, 2007 at 03:00:43PM +1000, Mark Andrews wrote:
>> All of this to "fix" a flawed security model.
> In part, yes, the immediate issue is someone else's problem. That
> said, it's a lot easier to fix it here, definitively, than continue to
> use patchwork solutions elsewhere.
Well the ultimate fault lies as Mark and others said is in the browser.
However rather then overloading DNS server with functions unrelated to
DNS, we could use the technology available to us to solve this.
What if everybody would use proper reverse entries that also had the
corresponding forward entries and all that secured via DNSSEC? Then
if the browser would see a difference between forward and reverse
mapping it should not allow the connection.
I know that especially when looking at the discussions in the dnsop
wg that this will not happen any time soon now, but as said I'd rather
use existing proven technology instead of adding yet another feature
that might cause yet another bug.
> In part, this is a DNS security flaw, too. Why can external entities
> point their RRs at my names and IP address space and try other novel
> forms of DNS-based attack against my hosts? What is the next problem
> that will exploit this?
Well what is your address space? There are several reasons why names may
point anywhere. DNS just is a protocol not a policy. This is not an DNS
security flaw IMHO - it just is a feature.
More information about the bind-users