On 3.6.2015 12:04, Florian Weimer wrote: > On 06/02/2015 08:36 PM, Paul Wouters wrote: >> On Tue, 2 Jun 2015, Simo Sorce wrote: >> >>>> and just because you have a local resolver firefox won't stop it's >>>> behavior >>> >>> It can, w/o a local resolver FF developers will definitely keep caching >>> on their own, with a decent local resolver they can allow themselves to >>> disable their own and go back to rely on the system one, perhaps. >> >> I don't think so. Firefox does that to avoid DNS rebinding attacks. > > It is somewhat questionable whether DNS rebinding vulnerabilities are, > in fact, a problem which should be solved at the client side. But Oh yes. DNS pinning in browser is just a band-aid and not proper solution. I would argue that DNS rebinding attack is caused by generic lack of ingress filtering on multiple levels. We learned to filter IP packets on firewalls to make sure that packets with internal source addresses come really from interfaces connected to internal networks and the very same principle should apply everywhere... > Firefox certainly has some caching mechanisms intended to help against > that (but I'm not sure how reliable they are in preventing the issue, > e.g. if you use a web proxy). -- Petr Spacek @ Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
