Corrective updates to the stable branches of the BIND DNS server 9.11.18 and 9.16.2, as well as the experimental branch 9.17.1, which is in development. In new releases security problem associated with ineffective defense against attacks "» when working in the mode of a DNS server forwarding requests (the “forwarders” block in the settings). In addition, work has been done to reduce the size of digital signature statistics stored in memory for DNSSEC - the number of tracked keys has been reduced to 4 for each zone, which is sufficient in 99% of cases.
The “DNS rebinding” technique allows, when a user opens a certain page in a browser, to establish a WebSocket connection to a network service on the internal network that is not accessible directly via the Internet. To bypass the protection used in browsers against going beyond the scope of the current domain (cross-origin), change the host name in DNS. The attacker's DNS server is configured to send two IP addresses one by one: the first request sends the real IP of the server with the page, and subsequent requests return the internal address of the device (for example, 192.168.10.1).
The time to live (TTL) for the first response is set to a minimum value, so when opening the page, the browser determines the real IP of the attacker's server and loads the contents of the page. The page runs JavaScript code that waits for the TTL to expire and sends a second request, which now identifies the host as 192.168.10.1. This allows JavaScript to access a service within the local network, bypassing the cross-origin restriction. against such attacks in BIND is based on blocking external servers from returning IP addresses of the current internal network or CNAME aliases for local domains using the deny-answer-addresses and deny-answer-aliases settings.
Source: opennet.ru