DNS rebinding partial workaround

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Sep 14 12:16:08 UTC 2007


On Thu, Sep 13, 2007 at 06:41:53PM -0400,
 Mordechai T. Abzug <morty+bind at frakir.org> wrote 
 a message of 13 lines which said:

> It's not much, in that it's specific to private address space, 

Indeed. The "dangerous" addresses are not in a configuration file, not
even in a ".h" header! 

  // Node-local
  if (ptr[0] == 127)
    return 0;

  // Link-local
  if (ptr[0] == 169 && ptr[1] == 254)
    return 0;

  // Site-local
  if (ptr[0] == 10 ||
     (ptr[0] == 172 && (ptr[1] >> 4) == (16 >> 4)) ||
     (ptr[0] == 192 && ptr[1] == 168))
    return 0;



More information about the bind-users mailing list