DNS rebinding: prevention?

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Aug 8 08:51:20 UTC 2007

On Tue, Aug 07, 2007 at 10:55:05PM -0700,
 Dawn Connelly <dawn.connelly at gmail.com> wrote 
 a message of 72 lines which said:

> The moral of both lectures is that this is a bad behavior within
> browsers.

Is there somewhere a text describing "good practices" for Web
browsers? Because the half-baked advices I've read in papers like
"Protecting Browsers from DNS Rebinding Attacks"
(http://crypto.stanford.edu/dns/dns-rebinding.pdf) do not seem
perfectly reviewed (the mention of "class C" awakens the pedant in my

Everyone seems to say that it's browser's fault, but is there some set
of written rules that the browser's authors should have followed? For
instance, do we endorse pinning, which is a violation of the DNS
standard and its rules about the TTL?

More information about the bind-users mailing list