DNS rebinding

Hello,

DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.

DNS rebinding establishes communication between the attacker’s server and a web application on an internal network through a browser. 

The follwoing two methods are use to mitigate this attack.

1- same-origin policy (SOP) 

Web browsers use the same-origin policy as a defense mechanism to restrict how websites from one origin can interact with other origins. The origin of a website is defined by the protocol (e.g., http://), domain (e.g., paloaltonetworks.com), and port (e.g., :80). For example, URLs A and B have the same origin, but URL C has a different origin.

A: http://www[.]example[.]com/index[.]html

B: http://www[.]example[.]com/news[.]html

C: https:///www[.]example[.]com/index[.]html (different protocol)

Websites with the same-origin policy restrict cross-policy interactions. Code (e.g., JavaScript) that originates from http://www[.]badactor[.]com/home.html and sends an HTTP request to http://www[.]yourname[.]com/news[.]html will be restricted. 

2- time to live (TTL)-

In a DNS system, time to live defines the amount of time in seconds that a record can be cached before a web server will re-query the DNS name server for a response. For example, a 300-second TLL keeps records for five minutes. After that, the records become stale and will not be used. TTL is usually set by the authoritative name server of a domain.

Hi @ Rumana

DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS).

This attack can be used to breach a private network by causing the victim's web browser to access computers at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks, or other malicious activities.

Protection

The following techniques attempt to prevent DNS rebinding attacks:

1. DNS servers in the chain can filter out private IP addresses and loopback IP addresses:

a. External public DNS servers (e.g. OpenDNS) can implement DNS filtering.

b. Local system administrators can configure the organization's local nameserver(s) to block the resolution of external names into internal IP addresses. (This has the downside of allowing an attacker to map the internal address ranges in use.)

2. A firewall (e.g. dnswall), in the gateway or in the local pc, can filter DNS replies that pass through it, discarding local addresses.[6][7]

3. Web browsers can resist DNS rebinding:

a. Web browsers can implement DNS pinning:[8] the IP address is locked to the value received in the first DNS response. This technique may block some legitimate uses of Dynamic DNS, and may not work against all attacks. However, it is important to fail-safe (stop rendering) if the IP address does change, because using an IP address past the TTL expiration can open the opposite vulnerability when the IP address has legitimately changed and the expired IP address may now be controlled by an attacker.

b. The NoScript extension for Firefox includes ABE, a firewall-like feature inside the browser which in its default configuration prevents attacks on the local network by preventing external webpages from accessing local IP addresses.

4. Web servers can reject HTTP requests with an unrecognized Host header.

I hope it helps!