[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?

Roland Dobbins rdobbins at cisco.com
Wed Aug 8 07:30:56 UTC 2007

On Aug 8, 2007, at 12:21 AM, Lutz Donnerhacke wrote:

> Many hosting and access providers have to deal with customers which  
> run
> their own domains outside and point to internal IPs of the provider.

Right - a need was clearly there for quite some time, and so changes  
were made to default BIND behavior in order to accommodate that need.

All I'm saying is that it would be useful for any named, including  
BIND, to provide a basic mechanism to help protect against at least  
one application of rebinding/anti-pinning attacks, provided that the  
mechanism in question doesn't seriously alter the operation of the  
named and/or require a significant delta of effort to implement.

I find it very interesting that folks don't seem to think that this  
is a desirable property for production nameds.

Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

	Culture eats strategy for breakfast.

            -- Ford Motor Company

More information about the dns-operations mailing list