[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?

[Simon Waters]

On Tuesday 07 August 2007 11:40, Roland Dobbins wrote:
>
> Does sufficient logic exist for this today within BIND ACLs and
> Views?

Not as far as I know.

Views match client IP, or name server IP (destination).
ACL match address lists.

Neither of these deal with the returned data within queries, they are about 
restricting who can make queries, from where and to where.

> If not, it seems that it wouldn't be much of a leap to add 
> it, and that this would be quite useful on many fronts, including the
> anti-pinning/rebinding attacks.

Rewriting answers on the fly sounds like a bad idea, even in ones own 
recursive name servers.

As I said, the DNS is behaving as designed, fiddling with the DNS because of 
faults in other software is a great way to break unrelated things, whilst not 
addressing the real problem. The DNS has enough security issues of its own, 
without trying to fix other peoples security problems as well.

> Lots of folks such as broadband SPs don't insert firewalls into their  
> topologies.

Such folk generally can't rewrite the answers for their customers, since they 
don't know what the customers private IPs are, or whether they are 
deliberately using those IP addresses in public DNS zones hosted elsewhere 
(i.e. Extranets, Intranets, VPNs and such like).