[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?

Lutz Donnerhacke lutz at iks-jena.de
Tue Aug 7 11:47:46 UTC 2007


* Roland Dobbins wrote:
> Any private IPs are irrelevant - all that's necessary is knowledge of  
> one's own CIDR blocks on which customers reside.

Several blackhole or spamfighting lists are published via DNS using private
adresses (usually from 127.0.0.0/8). There are even larger ISPs routing RfC
1918 addresses in their network for customer services. (i.e. German Telekom
switched their proprietary BTX system to such an "intranet" in order to keep
financial services online.)

The problem is not an DNS problem, it's a general validation problem for
applications and the rebinding part is a semantic problem derived from a
application specific session concept.



More information about the dns-operations mailing list