[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?

Roland Dobbins rdobbins at cisco.com
Tue Aug 7 16:49:55 UTC 2007

On Aug 7, 2007, at 4:47 AM, Lutz Donnerhacke wrote:

> Several blackhole or spamfighting lists are published via DNS using  
> private
> adresses (usually from There are even larger ISPs  
> routing RfC
> 1918 addresses in their network for customer services. (i.e. German  
> Telekom
> switched their proprietary BTX system to such an "intranet" in  
> order to keep
> financial services online.)

I understand all this, and fail to see its relevance.  The idea is to  
selectively reject certain answers from DNS servers outside one's own  
span of control, so the addressing schemes one is using are irrelevant.

> The problem is not an DNS problem, it's a general validation  
> problem for
> applications and the rebinding part is a semantic problem derived  
> from a
> application specific session concept.

I understand all this, and fail to see its relevance, either.  DDoS  
is a very general problem, yet the use of BGP as the control-plane  
signaling mechanism for S/RTBH isn't pooh-poohed because DDoS isn't a  
'BGP problem'.

Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

	Culture eats strategy for breakfast.

            -- Ford Motor Company

More information about the dns-operations mailing list