DNS rebinding: prevention?

[Mordechai T. Abzug]

On Wed, Aug 08, 2007 at 03:59:17PM +0200, Stephane Bortzmeyer wrote:
> On Wed, Aug 08, 2007 at 06:42:34AM -0400,
>  Mordechai T. Abzug <morty+bind at frakir.org> wrote 
>  a message of 74 lines which said:
> 
> > I submit that we have an inherently flawed model if I, as a
> > sysadmin, cannot control my own DNS servers to prevent them from
> > passing external entities' RRs that point at my own names and IPs.
> 
> This is the model used by the DNS from the beginning. The DNS does not
> care about *identity*, it is just a *mapping* between domain names and
> values (often IP addresses), without any regard for the semantics of
> these values.

Applications of DNS such as TCP wrappers/libwrap, Apache's "Allow
from" syntax, .rhosts, and even ssh's hostbased authentication are all
real-world examples where DNS is used, at least in part, for identity.
I don't know how DNS was intended to be used, but the real world has
chosen to use it for identity for quite some time.

> > This is actually the second known time that DNS rebinding has been
> > a problem.

> And there have been millions of times where it has been useful that
> you can direct your domain names to any value you choose.

And it will still be possible to direct your domain name to any value
you choose.  Only now, a recipient of that value may chose not to
honor it.  Which should be the recipients' choice.

> > [Note: we can really only fix this for externals pointing to
> > internal names/IPs, not for externals pointing to third-party
> > names/IPs.

> No, you cannot even fix it. On your resolvers, you can (providing you
> block outgoing access to port 53, to prevent your users to have their
> own resolvers). On the whole Internet, think that we still do not have
> proper Internet Routing Registries and you want the DNS to know that
> www.frakir.org is not allowed to point to 192.134.4.69?

Yes, as was said previously, this would only allow my own DNS servers
to not honor DNS records from outsiders pointing at my network.  It
would not help me with the problem of outsiders pointing at
third-party networks, and by extension, it would not help me to
prevent third parties from honoring DNS records from outsiders
pointing at my network.

The paper at http://crypto.stanford.edu/dns/dns-rebinding.pdf, section
5.2, actually does describe a scheme that would fix all three problem
scenarios, would allow for a clean transition and incremental
deployment, and would not require any code or configuration changes to
DNS servers.  The basic concept is that each site publishes, in
reverse DNS, records of the form auth.$ip_rev.in-addr.arpa and
$hostname.$ip_rev.in-addr.arpa.  So when a browser (or other
application) wants to verify that a hostname is allowed for a given
IP, it looks for auth.$ip_rev.in-addr.arpa, which tells it that the
scheme is enabled, and then for $hostname.$ip_rev.in-addr.arpa, to see
if $hostname is authorized.  This allows for a clean transition, since
IPs that haven't yet transitioned won't have the
auth.$ip_rev.in-addr.arpa, and therefore browsers and applications
know that they're not protected yet by this scheme.  Anyone thinking
of deploying this scheme?  More relevantly, are browsers likely to
honor it anytime soon?  I don't see it being deployed quickly, which
is why I'd like to at least have the ability to protect the internal
network.

- Morty