DNS rebinding partial workaround
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Sep 14 12:16:08 UTC 2007
On Thu, Sep 13, 2007 at 06:41:53PM -0400,
Mordechai T. Abzug <morty+bind at frakir.org> wrote
a message of 13 lines which said:
> It's not much, in that it's specific to private address space,
Indeed. The "dangerous" addresses are not in a configuration file, not
even in a ".h" header!
// Node-local
if (ptr[0] == 127)
return 0;
// Link-local
if (ptr[0] == 169 && ptr[1] == 254)
return 0;
// Site-local
if (ptr[0] == 10 ||
(ptr[0] == 172 && (ptr[1] >> 4) == (16 >> 4)) ||
(ptr[0] == 192 && ptr[1] == 168))
return 0;
More information about the bind-users
mailing list