DNS rebinding: prevention?
Mark Andrews
Mark_Andrews at isc.org
Wed Aug 8 01:39:39 UTC 2007
> On Tue, Aug 07, 2007 at 03:00:43PM +1000, Mark Andrews wrote:
>
> > It's also not as straight forward as people seem to think.
>
> > You would need lots of exception processing which would be
> > a combination of name and/or address and/or tsig pairs.
>
> Both of my posts so far have said that an exception mechanism would be
> needed. That said, bind already has a lot of ACL-related plumbing.
> One way to implement this would be a global ACL option like
> "allow-external-pointing-to-this" that defaults to "any". Each zone
> also takes a (possible) "allow-external-pointing-to-this" ACL that
> overrides the global option. Each "allow-external-pointing-to-this"
> ACL is a regular bind ACL with addresses, TSIGs, or whatever.
There is a big difference in controlling queries vs controlling
what is put into the cache.
The obvious one would be a border cache where you wouldn't accept
internal address from external nameservers. With something like
this sort-list synatax.
allow-cache {
// allow internal from internal
{ { range; }; { range; } };
// disallow internal from external
{ { range; }; { none; }; };
// allow everything else from anywhere
{ { any; }; { any; }; };
};
However named really has no way to know if the source address of
the packet is valid. So what we want is the destination address
of the packet as well which isn't available in basic socket API.
IPv6 supports retrieving the destination address in the advanced
API.
We can fake it in IPv4 if we use a per interface socket and a
wildcard socket. You send on the wild card socket and receive
on the per-interface sockets, otherwise you need the entire
routing topology inside named.
Anti-spoofing firewall rules can also help some but not all
of the time.
allow-cache {
// allow internal from internal over internal
{ { range; }; { range; }; { range; } };
// disallow internal from external
{ { range; }; { none; }; { any; }; };
// allow everything else from anywhere
{ { any; }; { any; }; { any; }; };
};
Next people will want to add in namespaces.
allow-cache "example.net" {
// allow internal from internal over internal
{ { range; }; { range; }; { range; }; };
// disallow internal from external
{ { range; }; { none; }; { any; }; };
// allow everything else from anywhere
{ { any; }; { any; }; { any; }; };
};
Then they will want to use nameserver names rather than addresses.
allow-cache "example.net" {
{
{ range; };
{ server ns1.example.net; server ns2.example.net; };
{ range; };
};
{ { range; }; { none; }; { any; }; };
{ { any; }; { any; }; { any; }; };
};
Now we have to cope with glue from the parents.
....
As I said it gets complicated very fast.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list