F23 System Wide Change: Default Local DNS Resolver

Petr Spacek pspacek at redhat.com
Wed Jun 3 11:54:35 UTC 2015


On 3.6.2015 12:04, Florian Weimer wrote:
> On 06/02/2015 08:36 PM, Paul Wouters wrote:
>> On Tue, 2 Jun 2015, Simo Sorce wrote:
>>
>>>> and just because you have a local resolver firefox won't stop it's
>>>> behavior
>>>
>>> It can, w/o a local resolver FF developers will definitely keep caching
>>> on their own, with a decent local resolver they can allow themselves to
>>> disable their own and go back to rely on the system one, perhaps.
>>
>> I don't think so. Firefox does that to avoid DNS rebinding attacks.
> 
> It is somewhat questionable whether DNS rebinding vulnerabilities are,
> in fact, a problem which should be solved at the client side.  But

Oh yes. DNS pinning in browser is just a band-aid and not proper solution. I
would argue that DNS rebinding attack is caused by generic lack of ingress
filtering on multiple levels.

We learned to filter IP packets on firewalls to make sure that packets with
internal source addresses come really from interfaces connected to internal
networks and the very same principle should apply everywhere...

> Firefox certainly has some caching mechanisms intended to help against
> that (but I'm not sure how reliable they are in preventing the issue,
> e.g. if you use a web proxy).

-- 
Petr Spacek  @  Red Hat


More information about the devel mailing list