DNS rebinding: prevention?

Mordechai T. Abzug morty+bind at frakir.org
Wed Aug 8 10:55:25 UTC 2007


On Tue, Aug 07, 2007 at 10:55:05PM -0700, Dawn Connelly wrote:

> Just out of curiosity... did you happen to go to a lecture or two at
> DefCon this year? There were two lectures about this exact topic
> over the weekend.  The moral of both lectures is that this is a bad
> behavior within browsers.

There is no argument that it is (also) a bad behavior within browsers.
And it needs to be addressed within browsers even if it is addressed
within DNS, because the DNS component only helps with attacks aimed at
the internal network, not at attacks aimed at external networks.

What *is* being argued: the internal attacks are fundamentally enabled
by a DNS behavior that could/should be controlled within DNS caching
servers.  If we fix this, then even if DNS rebinding comes back a
third time in some future form, internal networks will still be safe.
We can fix a whole class of attack against internal networks, right
here and right now.  Let's do it!

- Morty



More information about the bind-users mailing list