[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?
Roland Dobbins
rdobbins at cisco.com
Tue Aug 7 11:31:19 UTC 2007
On Aug 7, 2007, at 4:23 AM, Simon Waters wrote:
> Such folk generally can't rewrite the answers for their customers,
> since they
> don't know what the customers private IPs are, or whether they are
> deliberately using those IP addresses in public DNS zones hosted
> elsewhere
> (i.e. Extranets, Intranets, VPNs and such like).
Any private IPs are irrelevant - all that's necessary is knowledge of
one's own CIDR blocks on which customers reside.
Customers using DNS, et. al., are going to be using their own
internal DNS servers, anyways, through the tunnel.
What we're talking about is a defensive measure having to do with
maliciously-crafted answers being handed out for address ranges
covered within an organizations own SOA. How is intercepting and
handling those maliciously-crafted answers a Bad Thing? It seems to
me that it's an unalloyed good.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
More information about the dns-operations
mailing list