Dnia 23.06.2025 o godz. 15:33:06 sebastian via mailop pisze: > They are implicitly trusted as you know they will not > respond with fake DNS data in response to a malicious website.As opposed > to someone linking in a 127.x.x.x record in their SPF which is impossible > to anticipiate.
You are mentioning *website* and *SPF* together. Do SPF records point to websites? Do browsers look up SPF records in DNS? What one has to do with the other? The solution has already been mentioned here. Obviously a separate resolver for a mail server (which is exempt from firewall), and separate one for client machines running browsers, solves the problem and is easy to implement. The best practice is that the mail server should have its own resolver anyway. In a resolver intended to use by a mail server *only*, you don't have to worry about any "DNS rebinding" *at all*. If you don't like that solution, pressure the firewall vendors to make them fully stateful with regard to DNS and remember that the particular host name appeared in a SPF record, so if a query is subsequently made for this host name, the firewall should not mess with the reply. But this will probably create other vulnerabilities that the attackers would want to exploit. The two-resolver solution does not. -- Regards, Jaroslaw Rafa [email protected] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
