Enforcing minimum TTL...
Mark Andrews
marka at isc.org
Fri Oct 26 03:27:36 UTC 2018
Use a browser that maintains its own address cache tied to the HTTP session. That is the only way to safely deal with rebinding attacks. Rebinding attacks have been known about for years. There is zero excuse for not using a browser with such protection.
> On 26 Oct 2018, at 12:02 pm, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
>
> Is there a way to enforce a minimum TTL?
>
> My initial searching indicated that ISC / BIND developers don't include a way to do so on a matter of principle.
>
> I'd like to enforce a minimum TTL of 5 minutes (300 seconds) on my private BIND server at home. I'm wanting to use this as a method to thwart DNS Rebinding attacks.
>
> I've already got RPZ filtering out what IANA defines as Special Purpose IPv4 addresses. But this does nothing to prevent rebinding to a different IP on the globally routed Internet, or squatters that are re-using someone else's IP space (i.e. ISP's abusing DoD IP space for CGN).
>
>
>
> --
> Grant. . . .
> unix || die
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list