[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?
simonw at zynet.net
Tue Aug 7 11:23:38 UTC 2007
On Tuesday 07 August 2007 11:40, Roland Dobbins wrote:
> Does sufficient logic exist for this today within BIND ACLs and
Not as far as I know.
Views match client IP, or name server IP (destination).
ACL match address lists.
Neither of these deal with the returned data within queries, they are about
restricting who can make queries, from where and to where.
> If not, it seems that it wouldn't be much of a leap to add
> it, and that this would be quite useful on many fronts, including the
> anti-pinning/rebinding attacks.
Rewriting answers on the fly sounds like a bad idea, even in ones own
recursive name servers.
As I said, the DNS is behaving as designed, fiddling with the DNS because of
faults in other software is a great way to break unrelated things, whilst not
addressing the real problem. The DNS has enough security issues of its own,
without trying to fix other peoples security problems as well.
> Lots of folks such as broadband SPs don't insert firewalls into their
Such folk generally can't rewrite the answers for their customers, since they
don't know what the customers private IPs are, or whether they are
deliberately using those IP addresses in public DNS zones hosted elsewhere
(i.e. Extranets, Intranets, VPNs and such like).
More information about the dns-operations