DNS rebinding: prevention?

Ralf Weber denic at eng.colt.net
Wed Aug 8 03:58:07 UTC 2007


Moin!

On 07.08.2007, at 15:25, Mordechai T. Abzug wrote:

> On Tue, Aug 07, 2007 at 02:24:50PM +0200, Ralf Weber wrote:
>
>> What if everybody would use proper reverse entries that also had the
>> corresponding forward entries and all that secured via DNSSEC? Then
>> if the browser would see a difference between forward and reverse
>> mapping it should not allow the connection.
>
> That requires a whole lot more work than just making some zone-level
> config changes.
I said that I don't see it happen any time soon, however I doubt that
your solution is done by only some config changes, it at least requires
some code changes to a name server software.

> And the transition isn't clean -- if forward and
> reverse DNS don't match, how does a browser know if this is because
> the admin hasn't yet gotten around of making them match, or because
> there really is a problem?
Well how do you deal with fools ;-). If someone want's to use  
javascript,
flash or other technologies they should be able to configure the
foundations.

>   And how do you deal with name-based
> virtual hosting, where you might have dozens or even hundreds of
> hostnames parked at one IP?
Multiple PTR records. DNS can today answer with big udp packets or fall
back to tcp.

>   And how do you deal with the *next*
> vulnerability that happened because the protocol designers didn't
> understand this DNS issue?
As said it isn't an DNS issue. The issue is with the protocol
designers. The next vulnerability may be also in the code that was
needed introduce that feature.

> From my perspective, any addresses that I have defined as in-addr.arpa
> zones are the address spaces I want to protect.  If worst comes to
> worst, I would even happily list out a collection of CIDR
> address/netmask pairs that comprise the address space I want to
> protect.
Well so you are running an server that works as both an authoriative
server and an iterative resolver, while this may be common in an
enterprise environment, it is not in a service provider environment.
A service provider may have two customers where a web site is
transferred between them while it also may be the one customer
attacking another. How do you judge which is which?

So long
-Ralf



More information about the bind-users mailing list