DNS Re-binding Attack Prevention with BIND
Grant Taylor
gtaylor at tnetconsulting.net
Mon Jan 28 18:08:55 UTC 2019
On 01/28/2019 02:22 AM, Blason R wrote:
> Can someone guide me on prevention and possible configuration in BIND
> from DNS Re-bind attack?
Please clarify what you mean by "rebinding" and what you're trying to
protect against.
From one of you other messages, you indicate that you are already using
Response Policy Zone(s). I would think that it would be trivial to
create RPZ entries to filter out specific answers or query names. What
are you wanting to do that you aren't already doing with RPZ?
I asked for clarification on what you mean by "rebinding" because (I
think) it's relatively easy to have RPZ filter replies with answers in
any given prefix. I've seen people implement filters for RFC 1918 and
possibly RFC 3330.
But, to me, this is an incomplete solution because it assumes that the
addresses being protected are within prefixes listed in RFC 1918 and /
or RFC 3330. I find that (what I believe to be an) assumption short
sited and does nothing to protect companies that are using other non RFC
3330 IP addresses. I guess it's simple enough to add / adjust BIND's
RPZ entries or deny-answer-addresses entries accordingly for such
networks. But I've seen too many other things that assume that only RFC
1918, not even RFC 3330, is internal and needs protected.
So, I ask again, what /specifically/ does "rebinding" mean to you, in
this context?
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190128/5ea06529/attachment.bin>
More information about the bind-users
mailing list