[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?
Roland Dobbins
rdobbins at cisco.com
Tue Aug 7 16:49:55 UTC 2007
On Aug 7, 2007, at 4:47 AM, Lutz Donnerhacke wrote:
> Several blackhole or spamfighting lists are published via DNS using
> private
> adresses (usually from 127.0.0.0/8). There are even larger ISPs
> routing RfC
> 1918 addresses in their network for customer services. (i.e. German
> Telekom
> switched their proprietary BTX system to such an "intranet" in
> order to keep
> financial services online.)
I understand all this, and fail to see its relevance. The idea is to
selectively reject certain answers from DNS servers outside one's own
span of control, so the addressing schemes one is using are irrelevant.
>
> The problem is not an DNS problem, it's a general validation
> problem for
> applications and the rebinding part is a semantic problem derived
> from a
> application specific session concept.
I understand all this, and fail to see its relevance, either. DDoS
is a very general problem, yet the use of BGP as the control-plane
signaling mechanism for S/RTBH isn't pooh-poohed because DDoS isn't a
'BGP problem'.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
More information about the dns-operations
mailing list