[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?

Roland Dobbins rdobbins at cisco.com
Tue Aug 7 11:31:19 UTC 2007


On Aug 7, 2007, at 4:23 AM, Simon Waters wrote:

> Such folk generally can't rewrite the answers for their customers,  
> since they
> don't know what the customers private IPs are, or whether they are
> deliberately using those IP addresses in public DNS zones hosted  
> elsewhere
> (i.e. Extranets, Intranets, VPNs and such like).

Any private IPs are irrelevant - all that's necessary is knowledge of  
one's own CIDR blocks on which customers reside.

Customers using DNS, et. al., are going to be using their own  
internal DNS servers, anyways, through the tunnel.

What we're talking about is a defensive measure having to do with  
maliciously-crafted answers being handed out for address ranges  
covered within an organizations own SOA.  How is intercepting and  
handling those maliciously-crafted answers a Bad Thing?  It seems to  
me that it's an unalloyed good.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

	Culture eats strategy for breakfast.

            -- Ford Motor Company




More information about the dns-operations mailing list