[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?
David Ulevitch
davidu at everydns.net
Tue Aug 7 21:28:50 UTC 2007
Simon Waters wrote:
>> Lots of folks such as broadband SPs don't insert firewalls into their
>> topologies.
>>
>
> Such folk generally can't rewrite the answers for their customers, since they
> don't know what the customers private IPs are, or whether they are
> deliberately using those IP addresses in public DNS zones hosted elsewhere
> (i.e. Extranets, Intranets, VPNs and such like).
>
The attack doesn't require rewriting answers into RFC1918 space. In
fact, more potent attacks (at least from where we sit as the DNS
operations community) relate to the fact that browsers can now be
anti-pinned to cause outbound connections to third-party sites/hosts
without the user being aware or directly involved in the process.
The "internal host access" is an important point, but it's not required
for the attack, nor is it what folks should be focused on, it's just a
symptom of the problem.
-David
More information about the dns-operations
mailing list