[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?

Lutz Donnerhacke lutz at iks-jena.de
Tue Aug 7 08:09:48 UTC 2007

* Roland Dobbins wrote:
> Has anyone played around sufficiently with BIND ACLs and Views in  
> order to determine whether or not they can be used to effect a  
> defense against these types of attacks?

There is no defense to DNS Rebinding attacks. This type of attack utilize
the difference between the DNS caching and the meaning in an application
session of an DNS name.

Let's take an simple example where only a single DNS query is involved, so
the "Re" in "Rebinding" is optional at all:

  The attackers knows that there is an internal MTA vulnerable to MIME
  decoding attacks of email header lines causing a remote code execution.
  Futhermore there is a DMZ MTA to protect the interal system.
  The attacker sends an email to the DMZ MTA which will be bounced.
  The return address MX resolves to the internal MTA IP. So the DMZ MTA
  sends the bounce to the interal MTA triggering the exploit.

In short: There is no general solution outside the application protocol.

More information about the dns-operations mailing list