On 01/28/2019 02:22 AM, Blason R wrote:
Can someone guide me on prevention and possible configuration in BIND from DNS Re-bind attack?
Please clarify what you mean by "rebinding" and what you're trying to protect against.
From one of you other messages, you indicate that you are already using Response Policy Zone(s). I would think that it would be trivial to create RPZ entries to filter out specific answers or query names. What are you wanting to do that you aren't already doing with RPZ?
I asked for clarification on what you mean by "rebinding" because (I think) it's relatively easy to have RPZ filter replies with answers in any given prefix. I've seen people implement filters for RFC 1918 and possibly RFC 3330.
But, to me, this is an incomplete solution because it assumes that the addresses being protected are within prefixes listed in RFC 1918 and / or RFC 3330. I find that (what I believe to be an) assumption short sited and does nothing to protect companies that are using other non RFC 3330 IP addresses. I guess it's simple enough to add / adjust BIND's RPZ entries or deny-answer-addresses entries accordingly for such networks. But I've seen too many other things that assume that only RFC 1918, not even RFC 3330, is internal and needs protected.
So, I ask again, what /specifically/ does "rebinding" mean to you, in this context?
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
