DNS Rebinding: A Guide to Mitigation and Prevention Techniques

Author

Reads 7.9K

Person holding tablet with VPN connection screen for secure internet browsing.
Credit: pexels.com, Person holding tablet with VPN connection screen for secure internet browsing.

DNS rebinding is a clever attack technique used by hackers to bypass security measures.

This technique exploits the fact that DNS lookups are typically cached for a short period of time.

The attacker can use this to their advantage by rapidly changing the IP address of a domain and tricking the victim's browser into re-resolving the domain.

This can lead to the browser accessing internal IP addresses and sensitive information.

To mitigate this attack, it's essential to implement a DNS rebinding protection mechanism.

This can be achieved by limiting the frequency of DNS lookups or by blocking access to internal IP addresses.

In addition, keeping your browser and system up to date with the latest security patches is crucial.

What Is

DNS rebinding is a security vulnerability that allows a remote attacker to trick a web browser into communicating with a server it doesn't intend to. This is done by manipulating the Domain Name System (DNS) to change the IP address associated with a domain name, allowing the attacker to bypass network firewalls and access devices on a private home network.

Readers also liked: Network Domain

Credit: youtube.com, Dns Rebinding Attack

The browser's same-origin policy is designed to prevent web pages from making arbitrary requests to other domains without permission. However, DNS rebinding exploits this policy by tricking the browser into thinking it's communicating with the same domain when in fact it's accessing a different one.

Modern browsers use URLs to evaluate same-origin policy restrictions, not IP addresses. This means that if the IP address of a domain is changed, the browser will still consider it the same origin, allowing the attacker to access sensitive information.

A remote attacker can use DNS rebinding to gain full control of a victim's Ethereum account, as seen in the vulnerability found in the Ethereum Geth software. This can have serious consequences, including access to all of the victim's cryptocurrency.

By understanding how DNS rebinding works, we can better appreciate the importance of keeping our software up to date and being cautious when clicking on links from unknown sources.

If this caught your attention, see: IP Address Management

How it Works

Credit: youtube.com, DNS Rebinding Attack Demo

An attacker starts by controlling a malicious DNS server that answers queries for a domain.

The attacker tricks a user into loading the malicious domain in their browser, which makes a DNS request looking for the IP address of the domain. The attacker's DNS server responds with the real IP address, but sets the TTL value to 1 second so the victim's machine won't cache it for long.

The victim loads the web page from the malicious domain, which contains malicious JavaScript code that begins executing on the victim's web browser. The page makes repeated requests to the original domain name, which are permitted by the same-origin policy.

The attacker's DNS server responds with a new IP address, which can be an internal IP address or the IP address of a target somewhere else on the Internet. This allows the attacker to bypass network firewalls and make every device on the victim's protected intranet available to a remote attacker.

A different take: ISP Redirect Page

Credit: youtube.com, DNS Rebinding in 3 Seconds & Hijack Target Browser to Access Internal Network

Here's a step-by-step breakdown of the DNS rebinding process:

  1. The attacker controls a malicious DNS server that answers queries for a domain.
  2. The attacker tricks a user into loading the malicious domain in their browser.
  3. The victim's browser makes a DNS request looking for the IP address of the domain.
  4. The attacker's DNS server responds with the real IP address, but sets the TTL value to 1 second.
  5. The victim's browser makes repeated requests to the original domain name.
  6. The attacker's DNS server responds with a new IP address, which can be an internal IP address or the IP address of a target somewhere else on the Internet.

This allows the attacker to reach internal systems, like routers, printers, or internal APIs, without triggering cross-origin restrictions.

Mitigation

Mitigation is a crucial step in protecting against DNS rebinding attacks. Modern browsers may implement DNS pinning, which caches DNS results for a set time regardless of the TTL, blocking basic time-based rebinding attempts.

To further reduce exposure, configure DNS resolvers to block responses that return private, loopback, or non-routable IPs. This can be done by filtering DNS responses with private IPs. Also, monitor for CNAME chains that ultimately resolve to private IPs, as attackers may use this to bypass direct A-record filtering.

Using HTTPS for internal services can help validate server identities during connection setup, making rebinding less effective. Browsers will reject mismatched SSL handshakes, adding an extra layer of security.

Requiring authentication on internal services can stop attackers from interacting with the service, even if they reach it via DNS rebinding. Strong credentials add another barrier to entry, making it more difficult for attackers to succeed.

Readers also liked: Azure Private Resolver

Exploiting DNS Rebinding

Credit: youtube.com, DNS Rebinding with Robert RSnake Hansen

Exploiting DNS rebinding is a clever way attackers can access local network resources from the public internet. They can use a DNS rebinding attack to access a service from a specially crafted web site, even if it's only accessible locally.

To make it work, attackers need to know the port of the vulnerable application, which can be automated with Singularity. They'll create a malicious web page with multiple IFrames, each fetching a URL with the same port number as the attacked application.

This technique is often used with Deluge WebUI, which uses port 8112 by default. By crafting a malicious web page, attackers can bypass the same-origin policy and access the local service.

Attackers can also use a DNS rebinding attack to bypass CSRF protections. By rebinding the origin of a web page, they can read tokens embedded in pages and send valid requests to vulnerable APIs.

Here's a summary of the steps involved in a DNS rebinding attack:

  • Attackers create a malicious web page with multiple IFrames.
  • Each iframe fetches a URL with the same port number as the attacked application.
  • The attacker's DNS server responds alternately with the real IP address and a non-routable IP address (0.0.0.0).
  • The browser fetches a page with a script that waits for the DNS entry to expire.
  • Once the DNS entry expires, the browser sends requests to the real IP address, allowing attackers to access the local service.

This technique is powerful and can be used to access local network resources from the public internet. It's essential to understand how DNS rebinding works and take steps to prevent it.

Targeted Devices and Applications

Credit: youtube.com, Gerald Doussot - State of DNS Rebinding Attacks & Singularity of Origin - DEF CON 27 Conference

Many consumer-grade routers and smart devices are vulnerable to DNS rebinding attacks. These devices often run local web interfaces that can be reached from inside the network, but not from the public internet.

Default credentials or weak access controls are common among these devices, making them easy targets. Attackers can guess the default IP address and rebind their malicious domain to it.

Smart devices with web-based controls or open APIs are especially at risk, as they can be exploited to open admin panels, change DNS settings, or reroute traffic.

Additional reading: Nordvpn Smartdns

What's Vulnerable

As I dug deeper into the world of targeted devices and applications, I realized just how vulnerable they can be. Many smart home devices, including Google Home, Chromecast, Roku, Sonos WiFi speakers, and certain smart thermostats, can be hacked using DNS rebinding attacks.

These devices often have web-based controls or open APIs that can be exploited by attackers. In fact, every device I tested fell victim to DNS rebinding in one way or another, leading to information being leaked or even full device control.

Credit: youtube.com, Millions of Devices at Risk: Hackers Target Vulnerable Modems

The idea that the local network is a safe haven is a fallacy. If we continue to believe it, people are going to get hurt. I've been in contact with the vendors of these products, and all of them are working on or have already released security patches.

Some of the most interesting features of the API I used to target these devices include the ability to launch entertainment apps, play content, scan and join nearby WiFi networks, reboot, and even factory reset the device. Imagine a scenario where you're browsing the web and all of a sudden your Google Home factory resets.

Here are some examples of devices that can be targeted using DNS rebinding attacks:

  • Google Home
  • Chromecast
  • Roku
  • Sonos WiFi speakers
  • Certain smart thermostats

These devices often have weak access controls or default credentials that can be exploited by attackers. In fact, many routers still ship with UPnP servers enabled by default, which can be used to configure a router's DNS server, add & remove NAT and WAN port mappings, and more.

Accessing Enterprise Applications

Network cables as supply for work of system
Credit: pexels.com, Network cables as supply for work of system

Accessing Enterprise Applications can be a serious security risk, especially if internal segmentation and DNS protections are lacking.

Internal enterprise applications aren't always publicly accessible, but once an attacker can rebound the hostname to the internal IP, they can reach the page from a malicious domain.

This can lead to viewing cluster status or even killing jobs on the management page, which is a major problem in enterprise environments where admin portals control critical workflows.

Without strong internal segmentation and DNS protections, these interfaces become easy targets for attackers.

Zap's Ajax Spider

Zap's Ajax Spider is a powerful tool that can be used to discover content on a target website. It uses headless Firefox to browse the website, which can take up to an hour if there's enough content.

Zap's Ajax Spider can be used to bypass restrictions put in place by IMDSv2, allowing a malicious user to fully interact with the metadata service using JavaScript. This is because the AJAX spider can make a PUT request to the metadata service and read the response to get the token.

If this caught your attention, see: Dns Website Hosting

Credit: youtube.com, ZAP Deep Dive: Ajax Spider

The AJAX spider can be kept busy by filling a page with randomly generated hash links. This causes the spider to load the index page, click on the first five links, and then reload the index page and start again. It will do this until the one hour timeout is reached.

DNS rebinding attacks against browsers are well-documented, and using Zap's Ajax Spider provides a simpler technique for exploiting DNS rebinding. This is because the faster DNS rebinding techniques have become fiddly and unreliable with changes to browser behavior in the past few years.

Broaden your view: Internet Domain Name Index

Consequences and Response

DNS rebinding is a serious security issue that can have far-reaching consequences for individuals and organizations. It allows attackers to access internal systems, which can lead to unauthorized access to sensitive information, including credentials and customer records.

Data exfiltration is a significant concern, as attackers can extract sensitive information silently through the victim's own browser. This can happen without triggering standard security protections.

Broaden your view: Azure Linux Webapp Security

Credit: youtube.com, Gerald Doussot - State of DNS Rebinding Attacks & Singularity of Origin - DEF CON 27 Conference

Some internal web apps expose functionality via undocumented or legacy endpoints, which are often overlooked in standard vulnerability scans but may still be accessible via DNS rebinding. This can lead to service manipulation or abuse, including disabling security settings, restarting systems, or interrupting services.

Here are some of the potential consequences of DNS rebinding:

  • Data exfiltration
  • Service manipulation or abuse
  • Compromise of IoT and smart devices
  • Network reconnaissance
  • Compliance violations and regulatory risk
  • Reputational harm

These consequences can result in significant reputational harm, including the erosion of stakeholder trust. Customers may lose confidence in the organization's ability to protect data, and rebuilding that trust can take time and require significant public communication efforts.

Potential Consequences

As you can see, DNS rebinding is a serious security threat that can have far-reaching consequences.

Unauthorized access to internal systems is one of the most common outcomes, allowing attackers to reach devices and services inside a private network.

Data exfiltration is another significant risk, where attackers can extract sensitive information, including credentials, configuration data, or customer records.

Close-up of a modern security camera installed indoors, ideal for surveillance.
Credit: pexels.com, Close-up of a modern security camera installed indoors, ideal for surveillance.

Service manipulation or abuse is also possible, where attackers can reach internal applications and issue commands, potentially disabling security settings or restarting systems.

Bypassing CSRF protection is a particularly insidious effect, allowing attackers to capture dynamic tokens and reuse them in subsequent forged requests.

Compromise of IoT and smart devices is a growing concern, as these devices often expose local web services with limited authentication.

Network reconnaissance is also a threat, where attackers can use the victim's browser to probe internal networks and reveal available services and open ports.

Compliance violations and regulatory risk are also on the line, with organizations facing fines, audits, or sanctions under laws like GDPR or CCPA.

Reputational harm is a very real concern, as security incidents involving DNS rebinding can erode stakeholder trust and require significant public communication efforts to rebuild.

Here are some of the potential consequences of DNS rebinding in a concise table:

The Response: Caching

Browsers try to resist DNS rebinding by caching DNS responses, but this defense is far from perfect.

Security Logo
Credit: pexels.com, Security Logo

Some browsers have implemented Local Network Access, a new draft W3C specification, which closed some avenues for DNS rebinding, but still left some bypasses.

The 0.0.0.0 IP address on Linux and MacOS is one such bypass, allowing DNS rebinding behavior to vary greatly depending on the browser and operating system.

There are many layers involved in DNS caching, including browser DNS cache, OS DNS cache, and DNS nameservers, making the attack often considered unreliable.

Tools like Tavis Ormandy’s Simple DNS Rebinding Service and NCCGroup’s Singularity of Origin can automate attacks, making them a real threat despite their unreliability.

Tools and Techniques

A "malicious" DNS server called whonow has been created to help spread awareness of DNS rebinding attacks. It's a public server running on port 53 of rebind.network that responds to requests for *rebind.network domain names.

You can try querying the public whonow instance using dig, and it will respond with a TTL value of one second, ensuring its responses won't stay in a DNS resolver's cache for long.

Take a look at this: Googgle Dns

Credit: youtube.com, DNS Rebinding, XSS & 2FA SSH - Crossfit2 @ HackTheBox

The DNS Rebind Toolkit is a utility library that automates the process of executing DNS rebinding attacks. It uses a WebRTC IP address leak to discover the victim's local IP address.

Here are some of the key features of the DNS Rebind Toolkit:

You can launch an attack against a Google Home device on a 192.168.1.1/24 subnet by embedding a code snippet in an index.html page.

Prevention and Detection

To prevent DNS rebinding, use DNS lookup tools like dig to inspect whether a domain resolves to both public and private IP addresses. If the response alternates between external and internal IPs, it could indicate DNS rebinding.

Monitoring browser behavior is also key. Look for signs like repeated DNS queries to the same domain or unexpected requests to internal IP ranges. JavaScript errors related to cross-origin restrictions can also point to DNS rebinding in progress.

To detect DNS rebinding, scan DNS and network logs for patterns like frequent A record changes from a single domain. Tools like Zeek or Wireshark can help identify external sites attempting to reach private IPs through a victim browser.

See what others are reading: Azure Dns Ip

Credit: youtube.com, DNS Rebinding Attacks Explained - You are in DANGER!

Here are some specific signs to look out for in DNS logs:

  • Frequent DNS queries that alternate between public and private IPs from the same domain within a short time window.
  • DNS queries that only briefly show a public IP before switching to a private IP.
  • Unusual patterns of A record changes from a single domain.

Detection

Detection is key to preventing DNS rebinding attacks. To detect these attacks, you should use DNS lookup tools like dig to inspect whether a domain resolves to both public and private IP addresses.

Check for private IPs in DNS responses by using tools like dig. If the response alternates between external and internal IPs, it could indicate DNS rebinding.

Monitor browser behavior for signs like repeated DNS queries to the same domain or unexpected requests to internal IP ranges. JavaScript errors related to cross-origin restrictions can also point to DNS rebinding in progress.

Scan DNS and network logs for patterns such as frequent A record changes from a single domain. Tools like Zeek or Wireshark can help identify external sites attempting to reach private IPs through a victim browser.

Look for DNS queries that alternate between public and private IPs from the same domain within a short time window—especially when the public IP appears only briefly before switching. These short-lived records are often overlooked in coarse-grained log reviews.

Here are some signs to look out for in your DNS and network logs:

  • Frequent A record changes from a single domain
  • Repeated DNS queries to the same domain
  • Unexpected requests to internal IP ranges
  • DNS queries that alternate between public and private IPs

Prevention

Credit: youtube.com, Prevention v Detection: Why You Don’t have to Choose...

Prevention is key to avoiding the risks associated with DNS rebinding. Choose DNS services with rebinding protections, such as automatic blocking of responses that resolve external hostnames to internal IP addresses.

Some DNS solutions automatically block responses that resolve external hostnames to internal IP addresses. This is a crucial feature to look for when selecting a DNS provider. Tip: Choose DNS services that maintain contextual threat intelligence, like historical rebinding behavior or associations with known exploit kits, rather than relying solely on static IP blocklists.

Restricting JavaScript execution is another important step in preventing DNS rebinding attacks. This can be done by limiting where and how scripts can run in the browser.

Limiting JavaScript execution can reduce the ability of attacker-controlled websites to issue repeated DNS queries or execute rebinding payloads. By doing so, you're making it harder for attackers to exploit vulnerabilities.

Enforcing host header validation on servers is a simple yet effective way to prevent DNS rebinding attacks. This involves configuring internal web servers to reject requests with unexpected or unknown Host headers.

Three People Hacking a Computer System
Credit: pexels.com, Three People Hacking a Computer System

Here are some key steps you can take to enforce host header validation:

  • Configure internal web servers to reject requests with unexpected or unknown Host headers.
  • Ensure that your internal web servers are configured to only respond to requests with valid Host headers.

Segmenting your internal networks is another important step in preventing DNS rebinding attacks. By limiting which devices can talk to each other, you're making it harder for attackers to move laterally to sensitive areas of your network.

Segmenting your internal networks can prevent lateral movement to other sensitive areas, even if DNS rebinding grants access to a particular resource.

Frequently Asked Questions

What does DNS rebind do on a router?

DNS rebind attacks trick a browser into thinking an external domain is internal, allowing attackers to access internal network resources. This can happen when a router is compromised, putting your network at risk.

Dwayne Zboncak-Farrell

Senior Assigning Editor

Dwayne Zboncak-Farrell is a seasoned Assigning Editor with a keen eye for compelling content. With a strong background in research and writing, Dwayne has honed his skills in guiding projects from concept to completion. Their expertise spans a wide range of topics, including technology and software.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.