DNS rebinding: prevention?
Mordechai T. Abzug
morty+bind at frakir.org
Tue Aug 7 13:25:26 UTC 2007
On Tue, Aug 07, 2007 at 02:24:50PM +0200, Ralf Weber wrote:
> What if everybody would use proper reverse entries that also had the
> corresponding forward entries and all that secured via DNSSEC? Then
> if the browser would see a difference between forward and reverse
> mapping it should not allow the connection.
That requires a whole lot more work than just making some zone-level
config changes. And the transition isn't clean -- if forward and
reverse DNS don't match, how does a browser know if this is because
the admin hasn't yet gotten around of making them match, or because
there really is a problem? And how do you deal with name-based
virtual hosting, where you might have dozens or even hundreds of
hostnames parked at one IP? And how do you deal with the *next*
vulnerability that happened because the protocol designers didn't
understand this DNS issue?
> Well what is your address space? There are several reasons why names
> may point anywhere.
More information about the bind-users
mailing list