DNS rebinding

The attacker registers a domain (such as attacker.com) and delegates it to a DNS server that is under the attacker's control. The server is configured to respond with a very short time to live (TTL) record, preventing the DNS response from being cached. When the victim browses to the malicious domain, the attacker's DNS server first responds with the IP address of a server hosting the malicious client-side code. For instance, they could point the victim's browser to a website that contains malicious JavaScript or Flash scripts that are intended to execute on the victim's computer.

The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, they could reply with an internal IP address or the IP address of a target somewhere else on the Internet.

Techniques attempting to prevent DNS rebinding attacks can broadly be divided in two categories:{{Cite web|url=https://crypto.stanford.edu/dns/dns-rebinding.pdf|title=Protecting Browsers from DNS Rebinding Attacks|last=|first=|date=November 2007|website=crypto.stanford.edu|archive-url=|archive-date=|access-date=2018-12-10}}{{Cite web|url=https://www.adambarth.com/papers/2009/jackson-barth-bortz-shao-boneh-tweb.pdf|title=Protecting Browsers from DNS Rebinding Attacks|last=|first=|date=January 2009|website=www.adambarth.com|archive-url=|archive-date=|access-date=2018-12-10}}{{Cite web|url=https://www.ptsecurity.com/upload/corporate/ww-en/download/DNS-rebinding.pdf|title=DNS REBINDING|last=|first=|date=2012|website=www.ptsecurity.com|archive-url=|archive-date=|access-date=2018-12-10}}{{Cite web|url=https://blog.trendmicro.com/trendlabs-security-intelligence/protecting-your-router-against-possibl-dns-rebinding-attacks/|title=Protecting Your Router Against Possible DNS Rebinding Attacks - TrendLabs Security Intelligence Blog|date=2010-08-04|website=blog.trendmicro.com|language=en-US|access-date=2018-12-10}}

• DNS servers in the chain can filter out private IP addresses and loopback IP addresses:
• External public DNS servers (e.g. OpenDNS) can implement DNS filtering.{{cite web

| archive-url=https://web.archive.org/web/20170814114237/https://umbrella.cisco.com/blog/2008/04/14/finally-a-real-solution-to-dns-rebinding-attacks/

| archive-date=2017-08-14

| url=https://umbrella.cisco.com/blog/2008/04/14/finally-a-real-solution-to-dns-rebinding-attacks/

| title=Finally, a real solution to DNS rebinding attacks

| first=David

| last=Ulevitch

| date=2008-04-14

| publisher=Cisco

| accessdate=2017-07-15}}

• Local system administrators can configure the organization's local nameserver(s) to block the resolution of external names into internal IP addresses. (This has the downside of allowing an attacker to map the internal address ranges in use.)
• A firewall (e.g. dnswall), in the gateway or in the local pc, can filter DNS replies that pass through it, discarding local addresses.{{GitHub|abortz/google-dnswall}}{{Cite web|url=https://www.netgate.com/docs/pfsense/dns/dns-rebinding-protections.html|title=Services — DNS — DNS Rebinding Protections {{!}} pfSense Documentation|website=www.netgate.com|access-date=2018-12-10}}

Note that DNS filtering conflicts with Domain Name System blocklist. RFC 5782{{ref RFC|5782}} standardizes the use of IP addresses beginning with 127, like 127.0.0.2, for such use. Normally, mail servers perform various queries of this kind, either according to local configuration or following external directives, such as the SPF's EXISTS mechanism. It is crucial for correctness, that mail servers don't utilize DNS servers that perform the above kind of filtering.

• Web browsers can resist DNS rebinding:
• Web browsers can implement DNS pinning:{{Cite web|url=https://www.usenix.org/system/files/conference/woot13/woot13-dai.pdf|title=FireDrill: Interactive DNS Rebinding|last=|first=|date=|website=www.usenix.org|archive-url=|archive-date=|access-date=2018-12-10}} the IP address is locked to the value received in the first DNS response. This technique may block some legitimate uses of Dynamic DNS, and may not work against all attacks. However, it is important to fail-safe (stop rendering) if the IP address does change, because using an IP address past the TTL expiration can open the opposite vulnerability when the IP address has legitimately changed and the expired IP address may now be controlled by an attacker.
• The NoScript extension for Firefox includes ABE, a firewall-like feature inside the browser which in its default configuration prevents attacks on the local network by preventing external webpages from accessing local IP addresses.
• Web servers can reject HTTP requests with an unrecognized Host header.

• DNS hijacking
• DNS spoofing

{{Reflist}}

• [https://crypto.stanford.edu/dns/ Protecting Browsers from DNS Rebinding Attacks] (2007)
• [https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html#goal_dns DNS hardening update] for Adobe Flash Player (2008)
• [http://download.oracle.com/sunalerts/1000033.1.html Security Sun Alert 200041] for the Sun JVM (2008-09-04)
• [https://vimeo.com/7907871 DNS Rebinding with Robert RSnake Hansen] (2009)

Category:Domain Name System

Category:Internet security

Category:Web security exploits