![]() ![]() Rather, the tool itself had a flaw that allowed anyone to probe the internal server that tool was running on by using 127.0.0.1. When they pointed that tool at 127.0.0.1 it wasn’t that the IP address 127.0.0.1 was exposed to the Internet. I read that article as well, and this is what happened: Someone was using an online tool that allowed you to point that tool to any IP address/hostname. In that article the attacker found that 127.0.0.1 was open to the internet. ![]() I was reading an article about Server-Side Request Forgery. That’s it! But what happened-as explained by that page you visited-was not a “hack” of every system in the world’s local “127.0.0.1” address, but rather a flaw on that one specific system itself.īut to further clarify this-and this tripped me up the way you worded it as well-when you state: Think of it as an alias so people don’t have to memorize piles of numbers (IPv4) or numbers and letters (IPv6). ![]() The domain name registrar has no care or concern about what pile of raw addresses you assign to a domain name.Īll a domain name is is simply a pointer that makes life easier. Anyone can assign any IP address to a domain name if they have control of that domain name. All you are paying for when you register a domain name is the domain name itself as well as the ability-read below-to assign an IP address to a domain name.īut then assigning an IP address to that domain name is a whole different process. One must simply pay the domain registrar, going trough the virtual “paperwork” and then, like magic, you have a domain name. “However, I'm still not sure how you can register an external domain to a local one.” Registering a domain name and assigning an IP address are two completely different and independent things.Īnyone can register any domain name for any reason you can even register a domain name without having a destination IP address in place. There are other answers that go into deeper detail, but the core of this question is really simple to answer: However, before you ask, this cannot be forbidden globally – pointing domain names to private addresses is still a perfectly legitimate use of DNS, and is used in practice in many networks. The protection feature just blocks answers which point to any local address. Some DNS resolvers actually already have a kind of filtering for such entries (called "DNS rebinding protection"), and they don't look for specific questions – they only look at the answer. Due to DNS data being distributed across many systems (sometimes even dynamically generated), you really cannot find them all, or even expect your results to remain accurate after just a few seconds.īut for security purposes, you don't need to find them all. No magic at all.Īt this point it should be clear that any domain owner can do this without any effort at all, so there is always a probability that other such domains exist at any given time. So when you type tracert ., it first asks DNS about the associated address gets the answer 127.0.0.1 and then behaves exactly as if you had ran tracert 127.0.0.1 instead. Whoever asks about now gets the answer "Oh, it's at 127.0.0.1." But to actually "point" a domain name somewhere – let's say to 127.0.0.1 – they add this line to its database:. So, when someone registers a domain name, they just gain the ability to edit those phonebook records. (You don't dial "Pizza Hut" on the phone you look up their phone number, and dial the number.) Just like a phone book, DNS merely tells you what the address is – but that's where its involvement ends. There is nothing that "binds" the domain to its address in the way that you imagine. I then found several more in these comments and elsewhere: lvh.meĪnd in similar questions on Stack Overflow. This is confusing as a tracert never even leaves the machine. However, I'm still not sure how you can register an external domain to a local one. Host file you can immediate start testing with a local URL. The victim then blocked 127.0.0.1, but because many other IPs and apparently also some domains are also resolved to to that, including the mysterious, he was able to bypass a weak text-based filter.Īre there others? (And how to find them?)Īpparently someone decided to register that domain in a funny way, for testing purposes: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |