DNS rebinding partial workaround

Kevin Darcy kcd at daimlerchrysler.com
Thu Sep 13 23:07:30 UTC 2007

Mordechai T. Abzug wrote:
> One of my coworkers pointed out that the DNS rebinding folks have a
> partial workaround:
> http://code.google.com/p/google-dnswall/
> It's not much, in that it's specific to private address space, and
> doesn't even touch the name portion of RRs, but it's a start.
 From the "Issues" tab of that code repository:

    Reported by james.raftery <http://code.google.com/u/james.raftery/>,
    Aug 16, 2007

    dnswall 0.1.3 issues query IDs which are consecutive. As a defence against

    reply spoofing, query IDs should not be predictable. For
    backgroundinformation, search Google for "dns predictable query id".

    This is compounded by dnswall sending its queries from the same
    sourceport. By observing one query from dnswall on the network I can
    predict with100% certainty the source port and query ID of the next
    query and therebysend a spoofed reply to it.

    In light of this I consider dnswall to only be safe to use when its
    pathto the "real" upstream DNS server is certain to be private (e.g.
    over a loopback interface on the same machine).

    The suggestion in the README file to forward to a remote DNS server, such as an ISP's resolver, is wholly inappropriate and should be removed in

    favour of a strong recommendation for a loopback-only scenario.

- Kevin

More information about the bind-users mailing list