[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?

Roland Dobbins rdobbins at cisco.com
Tue Aug 7 10:40:39 UTC 2007


On Aug 7, 2007, at 3:23 AM, Simon Waters wrote:

> Off hand I've never seen a BIND config capable of doing such a  
> thing, as you'd
> want to be checking the values in requests returned from specific  
> servers.

Is this really necessary?  Wouldn't it suffice to simply have one's  
external resolving server(s) hand out a pre-designated answer to  
one's caching servers (or other resolvers) if the result of a  
recursive query it (they) were asked to issue contained an IP address  
within a pre-designated list which contains one's site IP ranges?

Does sufficient logic exist for this today within BIND ACLs and  
Views?  If not, it seems that it wouldn't be much of a leap to add  
it, and that this would be quite useful on many fronts, including the  
anti-pinning/rebinding attacks.

> I don't even think some of the better firewalls DNS proxies offer  
> this as an
> option, which would seem the logical place to enforce this to me.

Lots of folks such as broadband SPs don't insert firewalls into their  
topologies.  It seems to me that the more logical place to handle  
this would be in-band within the DNS.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

	Culture eats strategy for breakfast.

            -- Ford Motor Company




More information about the dns-operations mailing list