DNS rebinding: prevention?
Niall O'Reilly
Niall.oReilly at ucd.ie
Wed Aug 8 09:43:48 UTC 2007
On 8 Aug 2007, at 02:26, Chris Buxton wrote:
> In order to protect private data which should be freely available
> within an intranet but completely hidden from the outside, without
> crippling the browser's ability to adapt to DNS changes, one of the
> following must be done, as I see it:
>
> - The browser (on every client machine) must know what domains should
> map to internal addresses, and should know what the private IP space
> looks like.
>
> - The resolving name server must be prevented from returning private,
> internal addresses in A records whose names are not trusted.
I may be missing something, but I expect blocking ports 80
and 443 at the boundary of the intranet and providing a managed
proxy (as opposed to quasi-unmanaged browser-platform machines)
may be useful as a third option.
Of course, this respects layering, and so may be out of scope
for this thread! 8-)
Best regards,
Niall O'Reilly
University College Dublin IT Services
PGP key ID: AE995ED9 (see www.pgp.net)
Fingerprint: 23DC C6DE 8874 2432 2BE0 3905 7987 E48D AE99 5ED9
More information about the bind-users
mailing list