DNS rebinding: prevention?

Mordechai T. Abzug morty+bind at frakir.org
Sat Aug 4 04:40:27 UTC 2007 

[resending from subscribed address]

On Fri, Aug 03, 2007 at 09:50:28AM -0700, Chris Buxton wrote:

> named would have to check the address of each A or AAAA record
> coming from the outside to see if it refers to an internal address.

Yes.  And CNAMEs, too.  Maybe NS records, SRVs, MXs, and some other
record types I'm not thinking of.  Which is OK -- bind already looks
at the records at least a little bit, i.e. to cache them, to see if
they match the query, etc.  IME, bind runs at low CPU utilization on
modern hardware for 10K users: there's definitely room for more work
to be done by bind.  And, of course, like any other feature, this
should be able to be turned off for performance reasons or any other
reason.  "Any feature that cannot be turned off is indistinguishable
from a bug."

> This seems to be more a job for an application-level firewall that
> can fully inspect the contents of DNS messages and filter based on
> their contents.

The DNS server is already parsing DNS replies and looking at them, to
make sure that the query IDs match, that the answer is valid based on
the query, to cache, etc.  The DNS server is the expert on DNS.  Why
pass the buck to the firewall?

Also, for large shops, where one hand doesn't know what the other is
doing and there is a lot of specialization, I don't think you want the
firewalls guys responsible for understanding DNS configurations.
There are a lot of subtleties here -- offhand, delegations to the
server, delegations from the server, and known-valid third-party DNS
records that point to internal IPs or names.

And quite aside from organizational issues, I personally work with
both DNS products and firewall products.  I would trust a DNS server
to do complicated things with DNS a lot more than I would trust a
firewall to do complicated things with DNS.  The DNS servers
(i.e. bind) have a lot more DNS-related knobs to turn, and clearly
understand DNS better.

In summary: yes, this can be worked around in a firewall, but it makes
a lot of sense to provide a workaround in bind.

- Morty

More information about the bind-users mailing list