DNS Re-binding Attack Prevention with BIND
Grant Taylor
gtaylor at tnetconsulting.net
Mon Jan 28 17:59:48 UTC 2019
On 01/28/2019 04:13 AM, Blason R wrote:
> Thanks for the revert however, in my scenario I have Windows AD server
> is being used as a Authoritative DNS for exmaple.local which has
> forwarding set to BIND acting as a RPZ and wanting to see if we can
> conceal this vulnerability on BIND.
Am I understanding you correctly in that you have a Windows DNS server
that is both:
1) Authoritative for the example.local domain.
2) Configured to forward queries to a BIND DNS server that is applying
Response Policy Zone filtering.
I'm guessing that BIND is functioning as a recursive resolver for Windows.
You don't currently have deny-answer-aliases enabled.
Is all of this correct? (I'm assuming that it is unless / until you
correct.)
Please clarify what vulnerability you are trying to conceal.
> I think since BIND is not a NS for example domain even if I enable this
> protection on BIND not sure if that would take effect?
I don't see anything in the ARM talking about needing to be
authoritative for the domain(s) in question. So I don't see how BIND
not having the example.local zone is a problem.
Even if BIND did filter queries for example.local, the Windows server
shouldn't be sending queries for example.local because Windows is
authoritative for example.local.
What am I missing / misunderstanding?
Finally, I would expect that you can use RPZ to do filtering that is
comparable to "deny-answer-addresses {…};" and / or "deny-answer-aliases
{…};".
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190128/a00ebfb2/attachment-0001.bin>
More information about the bind-users
mailing list