DNS rebinding: prevention?

Dawn Connelly dawn.connelly at gmail.com
Wed Aug 8 05:55:05 UTC 2007 

Just out of curiosity... did you happen to go to a lecture or two at DefCon
this year? There were two lectures about this exact topic over the weekend.
The moral of both lectures is that this is a bad behavior within browsers.
Our dear DNS friend Dan Kaminsky gave a lecture titled "Black Ops 2007:
Design Reviewing The Web". David Byrne gave a lecture "Intranet Invasion
With Anti-DNS Pinning." While Kaminsky and Byrne gave slightly different
versions- it's basically the same attack. And it seemed to me that both came
to the same conclusion that it needs to be addressed in the browser. You
might be interested in googling up these presentations if you didn't catch
them in Vegas.
</end unsolicited 2 cents>

On 8/7/07, Ralf Weber <denic at eng.colt.net> wrote:
>
> Moin!
>
> On 07.08.2007, at 15:25, Mordechai T. Abzug wrote:
>
> > On Tue, Aug 07, 2007 at 02:24:50PM +0200, Ralf Weber wrote:
> >
> >> What if everybody would use proper reverse entries that also had the
> >> corresponding forward entries and all that secured via DNSSEC? Then
> >> if the browser would see a difference between forward and reverse
> >> mapping it should not allow the connection.
> >
> > That requires a whole lot more work than just making some zone-level
> > config changes.
> I said that I don't see it happen any time soon, however I doubt that
> your solution is done by only some config changes, it at least requires
> some code changes to a name server software.
>
> > And the transition isn't clean -- if forward and
> > reverse DNS don't match, how does a browser know if this is because
> > the admin hasn't yet gotten around of making them match, or because
> > there really is a problem?
> Well how do you deal with fools ;-). If someone want's to use
> javascript,
> flash or other technologies they should be able to configure the
> foundations.
>
> >   And how do you deal with name-based
> > virtual hosting, where you might have dozens or even hundreds of
> > hostnames parked at one IP?
> Multiple PTR records. DNS can today answer with big udp packets or fall
> back to tcp.
>
> >   And how do you deal with the *next*
> > vulnerability that happened because the protocol designers didn't
> > understand this DNS issue?
> As said it isn't an DNS issue. The issue is with the protocol
> designers. The next vulnerability may be also in the code that was
> needed introduce that feature.
>
> > From my perspective, any addresses that I have defined as in-addr.arpa
> > zones are the address spaces I want to protect.  If worst comes to
> > worst, I would even happily list out a collection of CIDR
> > address/netmask pairs that comprise the address space I want to
> > protect.
> Well so you are running an server that works as both an authoriative
> server and an iterative resolver, while this may be common in an
> enterprise environment, it is not in a service provider environment.
> A service provider may have two customers where a web site is
> transferred between them while it also may be the one customer
> attacking another. How do you judge which is which?
>
> So long
> -Ralf
>
>
>

More information about the bind-users mailing list