TSIG, ip spoofing and IP lists
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Apr 16 06:16:43 UTC 2002
> Looking at this simple example from named.conf I expected that only
> clients from 192.168.75.0/24 network AND only those among them who sign
> their request with valid TSIG key can query zone00000000001.com. But it
> appeared to be not true, since directive "allow-query { corpnets;
> 192.168.75.0/24; };" will allow clients from 192.168.75.0/24 to query
> protected zone without TSIG and those who not in 192.168.75.0/24 network
> will have to sign transaction by TSIG key for authentication, in other words
> IP and key will be combined as "OR" ?
> If this is true then directive "allow-query { corpnets;
> 192.168.75.0/24; };" make this particular configuration DNS vulnerable to IP
> spoofing ?
Firstly TSIG + IP address buys you very little over straight TSIG.
Secondly AND operations are supported by rejecting the addresses
you don't want to accept.
acl reject { !192.168.75.0/24; any; };
allow-query { !reject; corpnet; };
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list