DNS rebinding

Last updated September 03, 2023

DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS).

This attack can be used to breach a private network by causing the victim's web browser to access computers at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks, or other malicious activities.

How DNS rebinding works

The attacker registers a domain (such as attacker.com) and delegates it to a DNS server that is under the attacker's control. The server is configured to respond with a very short time to live (TTL) record, preventing the DNS response from being cached. When the victim browses to the malicious domain, the attacker's DNS server first responds with the IP address of a server hosting the malicious client-side code. For instance, they could point the victim's browser to a website that contains malicious JavaScript or Flash scripts that are intended to execute on the victim's computer.

The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, they could reply with an internal IP address or the IP address of a target somewhere else on the Internet.

Protection

The following techniques attempt to prevent DNS rebinding attacks:^[1]^[2]^[3]^[4]

DNS servers in the chain can filter out private IP addresses and loopback IP addresses:
- External public DNS servers (e.g. OpenDNS) can implement DNS filtering.^[5]
- Local system administrators can configure the organization's local nameserver(s) to block the resolution of external names into internal IP addresses. (This has the downside of allowing an attacker to map the internal address ranges in use.)
A firewall (e.g. dnswall), in the gateway or in the local pc, can filter DNS replies that pass through it, discarding local addresses.^[6]^[7]
Web browsers can resist DNS rebinding:
- Web browsers can implement DNS pinning:^[8] the IP address is locked to the value received in the first DNS response. This technique may block some legitimate uses of Dynamic DNS, and may not work against all attacks. However, it is important to fail-safe (stop rendering) if the IP address does change, because using an IP address past the TTL expiration can open the opposite vulnerability when the IP address has legitimately changed and the expired IP address may now be controlled by an attacker.
- The NoScript extension for Firefox includes ABE, a firewall-like feature inside the browser which in its default configuration prevents attacks on the local network by preventing external webpages from accessing local IP addresses.
Web servers can reject HTTP requests with an unrecognized Host header.

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is protected behind a firewall. The DMZ functions as a small, isolated network positioned between the Internet and the private network.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

Various anti-spam techniques are used to prevent email spam.

The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.

Ad blocking or ad filtering is a software capability for blocking or altering online advertising in a web browser, an application or a network. This may be done using browser extensions or other methods.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

In computer networks, a reverse proxy is an application that sits in front of back-end applications and forwards client requests to those applications. Reverse proxies help increase scalability, performance, resilience and security. The resources returned to the client appear as if they originated from the web server itself.

In computing, the same-origin policy (SOP) is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM).

A UDP flood attack is a volumetric denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.

A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL.

<span class="mw-page-title-main">Zeroshell</span> Linux distribution

Zeroshell is a small open-source Linux distribution for servers and embedded systems which aims to provide network services. Its administration relies on a web-based graphical interface; no shell is needed to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

Domain Name System blocking, or DNS blocking / filtering is a strategy for making it difficult for users to locate specific domains or websites on the Internet. It was first introduced in 1997 as a means to block spam email from known malicious IP addresses.

A response policy zone (RPZ) is a mechanism to introduce a customized policy in Domain Name System servers, so that recursive resolvers return possibly modified results. By modifying a result, access to the corresponding host can be blocked.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

References

↑ "Protecting Browsers from DNS Rebinding Attacks" (PDF). crypto.stanford.edu. November 2007. Retrieved 2018-12-10.
↑ "Protecting Browsers from DNS Rebinding Attacks" (PDF). www.adambarth.com. January 2009. Retrieved 2018-12-10.
↑ "DNS REBINDING" (PDF). www.ptsecurity.com. 2012. Retrieved 2018-12-10.
↑ "Protecting Your Router Against Possible DNS Rebinding Attacks - TrendLabs Security Intelligence Blog". blog.trendmicro.com. 2010-08-04. Retrieved 2018-12-10.
↑ Ulevitch, David (2008-04-14). "Finally, a real solution to DNS rebinding attacks". Cisco . Retrieved 2017-07-15.
↑ google-dnswall on GitHub
↑ "Services — DNS — DNS Rebinding Protections | pfSense Documentation". www.netgate.com. Retrieved 2018-12-10.
↑ "FireDrill: Interactive DNS Rebinding" (PDF). www.usenix.org. Retrieved 2018-12-10.

External links

Protecting Browsers from DNS Rebinding Attacks (2007)
DNS hardening update for Adobe Flash Player (2008)
Security Sun Alert 200041 for the Sun JVM (2008-09-04)
DNS Rebinding with Robert RSnake Hansen (2009)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Protecting Browsers from DNS Rebinding Attacks" (PDF). crypto.stanford.edu. November 2007. Retrieved 2018-12-10.

[2] "Protecting Browsers from DNS Rebinding Attacks" (PDF). www.adambarth.com. January 2009. Retrieved 2018-12-10.

[3] "DNS REBINDING" (PDF). www.ptsecurity.com. 2012. Retrieved 2018-12-10.

[4] "Protecting Your Router Against Possible DNS Rebinding Attacks - TrendLabs Security Intelligence Blog". blog.trendmicro.com. 2010-08-04. Retrieved 2018-12-10.

[5] Ulevitch, David (2008-04-14). "Finally, a real solution to DNS rebinding attacks". Cisco . Retrieved 2017-07-15.

[6] -dnswall on GitHub

[7] "Services — DNS — DNS Rebinding Protections | pfSense Documentation". www.netgate.com. Retrieved 2018-12-10.

[8] "FireDrill: Interactive DNS Rebinding" (PDF). www.usenix.org. Retrieved 2018-12-10.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]