DNS rebinding: prevention?
Barry Margolin
barmar at alum.mit.edu
Sat Aug 4 00:57:11 UTC 2007
In article <f8vmku$16bv$1 at sf1.isc.org>,
Chris Buxton <cbuxton at menandmice.com> wrote:
> named would have to check the address of each A or AAAA record coming
> from the outside to see if it refers to an internal address. I don't
> believe any name server can do this currently. This seems to be more
> a job for an application-level firewall that can fully inspect the
> contents of DNS messages and filter based on their contents.
Indeed, the DNSD component of high-end Symantec firewalls (SGS
appliances and SEF software) does this by default.
>
> Chris Buxton
> Men & Mice
>
> On Aug 3, 2007, at 9:10 AM, Mordechai T. Abzug wrote:
>
> > Is there a way to get bind in caching mode to prevent DNS answers from
> > external DNS servers that include RR rdata with internal IPs and
> > internal hostnames? [Question originally asked on dc-sage by Peter
> > Watkins.]
> >
> > This would be to prevent DNS rebinding. Information about DNS
> > rebinding:
> >
> > http://www.hackszine.com/blog/archive/2007/08/
> > dns_rebinding_how_an_attacker.html
> > http://crypto.stanford.edu/dns/
> >
> > If this is not a feature of bind today, can this be added?
> >
> > Note that there would probably need to be an exception mechanism to
> > deal with known glue records, delegations to other servers, and other
> > known valid third-party RRs that point to internal names and IPs.
> >
> > ["match-destinations" has a promising name, but seems to be for DNS
> > server's own IPs, not for RR rdata.]
> >
> > - Morty
> >
> >
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list