DNS rebinding: prevention?
Pete Ehlke
pde at rfc822.net
Wed Aug 8 16:56:12 UTC 2007
On Wed Aug 08, 2007 at 12:44:40 -0400, Mordechai T. Abzug wrote:
>
>Applications of DNS such as TCP wrappers/libwrap, Apache's "Allow
>from" syntax, .rhosts, and even ssh's hostbased authentication are all
>real-world examples where DNS is used, at least in part, for identity.
>I don't know how DNS was intended to be used, but the real world has
>chosen to use it for identity for quite some time.
>
And every decent security roadmap ever written tells you to use IP
addresses for libwrap/ssh/allow-from/etc for precisely this reason:
using DNS as an identity service is inherently insecure.
More information about the bind-users
mailing list