[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?

Simon Waters simonw at zynet.net
Tue Aug 7 10:23:48 UTC 2007


On Tuesday 07 August 2007 10:51, Roland Dobbins wrote:
>
> I understand that it's not a DNS problem; I was wondering whether or
> not one could simply manually filter/rewrite answers for FQDNS which
> are outside one's SOA scope, yet are answered by the attacker as
> being within one's own IP address ranges, as something of a defensive
> measure.

One could. At least one firewall vendor uses this as a convenient way to 
direct you to the default RFC1918 address space that the routers 
configuration interface has by default. Many of the DNS block lists use 127/8 
as the results of lookups, indicating why something was added to the list. 
But I doubt there is much genuine use of such.

This doesn't of course stop your computers being used to abuse other peoples 
services.

For all its faults, one well known browser lets you set different security 
setting by domain already.

I don't know if one can do reverse lookup in the browser, and then use those 
results to direct requests locally using CNAMEs or some such, but it wouldn't 
suprise me if this were also possible as an enhancement to the drive-by 
phishing.....

Off hand I've never seen a BIND config capable of doing such a thing, as you'd 
want to be checking the values in requests returned from specific servers. I 
don't even think some of the better firewalls DNS proxies offer this as an 
option, which would seem the logical place to enforce this to me.



More information about the dns-operations mailing list