[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?
Roland Dobbins
rdobbins at cisco.com
Tue Aug 7 10:40:39 UTC 2007
On Aug 7, 2007, at 3:23 AM, Simon Waters wrote:
> Off hand I've never seen a BIND config capable of doing such a
> thing, as you'd
> want to be checking the values in requests returned from specific
> servers.
Is this really necessary? Wouldn't it suffice to simply have one's
external resolving server(s) hand out a pre-designated answer to
one's caching servers (or other resolvers) if the result of a
recursive query it (they) were asked to issue contained an IP address
within a pre-designated list which contains one's site IP ranges?
Does sufficient logic exist for this today within BIND ACLs and
Views? If not, it seems that it wouldn't be much of a leap to add
it, and that this would be quite useful on many fronts, including the
anti-pinning/rebinding attacks.
> I don't even think some of the better firewalls DNS proxies offer
> this as an
> option, which would seem the logical place to enforce this to me.
Lots of folks such as broadband SPs don't insert firewalls into their
topologies. It seems to me that the more logical place to handle
this would be in-band within the DNS.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
More information about the dns-operations
mailing list