DNS rebinding: prevention?

Mark Andrews Mark_Andrews at isc.org
Wed Aug 8 01:39:39 UTC 2007


> On Tue, Aug 07, 2007 at 03:00:43PM +1000, Mark Andrews wrote:
> 
> > 	It's also not as straight forward as people seem to think.
> 
> > 	You would need lots of exception processing which would be
> > 	a combination of name and/or address and/or tsig pairs.
> 
> Both of my posts so far have said that an exception mechanism would be
> needed.  That said, bind already has a lot of ACL-related plumbing.
> One way to implement this would be a global ACL option like
> "allow-external-pointing-to-this" that defaults to "any".  Each zone
> also takes a (possible) "allow-external-pointing-to-this" ACL that
> overrides the global option.  Each "allow-external-pointing-to-this"
> ACL is a regular bind ACL with addresses, TSIGs, or whatever.

	There is a big difference in controlling queries vs controlling
	what is put into the cache.

	The obvious one would be a border cache where you wouldn't accept
	internal address from external nameservers.  With something like
	this sort-list synatax.

	allow-cache {
		      // allow internal from internal
		      { { range; }; { range; } };
		      // disallow internal from external
		      { { range; }; { none; }; };
		      // allow everything else from anywhere
		      { { any; };  { any; }; };
		    };
	
	However named really has no way to know if the source address of
	the packet is valid.  So what we want is the destination address
	of the packet as well which isn't available in basic socket API.
	IPv6 supports retrieving the destination address in the advanced
	API.

	We can fake it in IPv4 if we use a per interface socket and a
	wildcard socket.  You send on the wild card socket and receive
	on the per-interface sockets, otherwise you need the entire
	routing topology inside named.

	Anti-spoofing firewall rules can also help some but not all
	of the time.

	allow-cache {
		      // allow internal from internal over internal
		      { { range; }; { range; }; { range; } };
		      // disallow internal from external
		      { { range; }; { none; }; { any; }; };
		      // allow everything else from anywhere
		      { { any; };  { any; }; { any; }; };
		    };

	Next people will want to add in namespaces.

	allow-cache "example.net" {
		      // allow internal from internal over internal
		      { { range; }; { range; }; { range; }; };
		      // disallow internal from external
		      { { range; }; { none; }; { any; }; };
		      // allow everything else from anywhere
		      { { any; };  { any; }; { any; }; };
		    };

	Then they will want to use nameserver names rather than addresses.

	allow-cache "example.net" {
		      {
			{ range; };
			{ server ns1.example.net; server ns2.example.net; };
			{ range; };
		      };
		      { { range; }; { none; }; { any; }; };
		      { { any; };  { any; }; { any; }; };
		    };

	Now we have to cope with glue from the parents.

		....

	As I said it gets complicated very fast.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list