OpenDNS has added a new filtering option to its free DNS service to help protect against poisonous DNS rebinding attacks.
The new feature, which is turned “OFF” by default, is available to OpenDNS account holders to help filter out suspicious responses that contain data that might be malicious or otherwise unwanted.
When enabled, the new filtering option will filter out DNS responses containing IP addresses listed in RFC1918.
This helps to prevent DNS Rebinding attacks. For example, if badstuff.attacker.com points to 192.168.1.1, this option would filter out that response.
DNS rebinding attacks, a class of DNS vulnerabilities discussed ad nauseum by hacker Dan Kaminsky, subvert the same-origin policy and convert Web browsers into open network proxies. These attacks can be used to circumvent firewalls to access internal documents and penetrate VPNs to remotely hijack resources on the victim’s intranet.
OpenDNS founder David Ulevitch explains the new feature:
“These new filters are different from the filtering options we’ve offered to date in one important way. Rather than filtering based on the DNS question being asked (eg, “Where is foo.com?”) these filters inspect the DNS reply before we send it back to you (eg, “Does this reply point to an internal resource?”).“
OpenDNS, a venture-backed startup based in San Francisco, provides free DNS resolution for consumers and businesses as an alternative to using their Internet service provider’s DNS servers. The company makes money from an advertising deal with Yahoo that displays search results when a domain name that the user has entered is not valid.