[dns-operations] Use of Views/ACLs to defeat DNS rebinding/pinning attacks?
Roland Dobbins
rdobbins at cisco.com
Wed Aug 8 07:30:56 UTC 2007
On Aug 8, 2007, at 12:21 AM, Lutz Donnerhacke wrote:
> Many hosting and access providers have to deal with customers which
> run
> their own domains outside and point to internal IPs of the provider.
Right - a need was clearly there for quite some time, and so changes
were made to default BIND behavior in order to accommodate that need.
All I'm saying is that it would be useful for any named, including
BIND, to provide a basic mechanism to help protect against at least
one application of rebinding/anti-pinning attacks, provided that the
mechanism in question doesn't seriously alter the operation of the
named and/or require a significant delta of effort to implement.
I find it very interesting that folks don't seem to think that this
is a desirable property for production nameds.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
More information about the dns-operations
mailing list