@AC
[1: On most networks, to lower the time it takes to get a responce, you would want the same DNS to tell you where www.theregister.co.uk is as the one that tells you pinky is the network printer down the hall]
There is no issue with that.
Your DNS server will be authoratative for your local namespace (i.e. some poor bugger will have typed out all of the IP addrs and associated names in named.conf so names will be resolved immediately by your own DNS server).
That same DNS server can still resolve names out on the WAN as it usually does. theregister.co.uk, google.co.uk etc will all be cached locally presuming they pass the test (see below) and so will resolve quickly.
All you need to do is check the contents of the response before you pass it on to the client and cache it. You have four possibilities -
1. The response landed on your public interface, and the IP addr is routable. Good. Carry on as normal.
2. The response landed on your public interface, and the IP addr is not routable. Bad - bin it.
3. The response landed on your internal interface, and the IP addr is routable. Bad - bin it.
4. The response landed on your internal interface, and the IP addr is not routable. Good. Carry on as normal.
Those 4 simple rules (oh but were there 8...) allow you to segregate your LAN from the WAN and defeat DNS rebinding attacks for *ALL* applications. No need to wait on half a dozen different vendors patching their wares.
[2....]
Yes, you can print stuff on ONE guys PC. That's my point - unless you're into industrial espionage (where it *is* a valid attack) then it has a very low return on investment. Would you rather log into one guys router, change his DNS and wait a week or two for him to log into www.mybank.com or send a few million emails from www.netwest.com telling you to log in for special offers?
The fishing spam job is so much less effort for a decent return. As I pointed out above, whilst you are committing a DNS rebind attack no bugger else can look at your website as it resolves to non-routable addresses. You could partially get around this by hacking your DNS server to give the proper IP addr on first request, then iterating through non-routable addresses on subsequent requests, but given how few DNS servers service how many peoples requests that is a very unreliable method. In short, this attack works on one person at a time.
You're totally right about alternative OSes tho - it's a very useful attack if you want to spy on a competitor in a tender process, and either you don't know what OS/AV they use, or you know they are locked down and don't allow non-whitelisted .exes to be run. Rather than email a trojan, you can attack through their browser.