Blog

Did you know? DNS rebinding exploits a weakness in browser's Same Origin Policy via malicious DNS requests to bind to local network resources allowing a malicious website to attack the victims internal network. 

In this blog post, we delve into the workings and impact of the DNS rebinding attack, including examples of how it can be exploited. Following this, we explore widely adopted countermeasures against this type of attack and discuss their shortcomings.

Let's get started:

Common Corporate Network Threats

Corporate private networks are intended to be isolated from the internet, preventing attackers from interacting with internal servers, and internal web applications such as network device management consoles. However, hackers have still found ways to take advantage of internal network resources from their external positions.

Some common methods of attack include phishing and spear phishing where attackers deliver content to socially engineer to individuals inside the network and have them execute their malicious payloads on behalf of the outside attacker, exploiting known vulnerabilities or misconfigurations in public facing assets to hack into the network, and using stolen credentials and password spraying attacks to get in - again through public facing applications such as VPNs and remote desktop services (RDP).

Another way that threat actors can pivot into an internal network is by using a technique called DNS rebinding that leverages the domain name system (DNS). DNS rebinding attacks leverage web pages that run a client-side script on victims to attack their own internal network resources.

What Are DNS Rebinding Attacks?

Fundamentally, DNS-binding attacks leverage malicious web pages to run the attacker's script client-side, on the victim's browsers to attack their own internal network resources. DNS rebinding attacks leverage how the Domain Name System (DNS) works in order to bypass a browser's same-origin policy designed to prevent websites from accessing resources and services hosted on the underlying system's internal network.

Therefore, DNS rebinding attacks can circumvent network security measures that rely on network perimeter defenses and exploit devices that are not directly accessible from the internet. This attack technique is especially dangerous when devices on the targeted local network are not properly secured - perhaps because the network administrators believe they are inaccessible to attackers.

What is Same Origin Policy?

In the context of a DNS rebinding attack, Same Origin Policy is a security measure that the attackers want to circumvent to gain access to internal network resources.  Same Origin Policy is implemented by browsers in order to prevent them from loading resources outside of the scope of the website's IP address or domain. 

Same Origin Policy using a combination of URI scheme, hostname and port to identify each resource (such as JavaScript, CSS, images) that a website loads. DNS rebinding attacks exploit the fact that hostnames are used to refer to the IP addresses and IP addresses are used for both internal and external internet resources.

How Do DNS Rebinding Attacks Work? 

There are several ways that DNS rebinding attacks can be executed by an attacker.  For simplicity, here we will explain DNS rebinding attacks where an attacker quickly swaps out their DNS A records while the victim is browsing their website.

Here is a description of the attack process: 

• Initial DNS Lookup: The attacker registers a domain, say example.com, and sets up a malicious website on it. When a victim visits this website, their browser makes a DNS request to resolve the domain name (example.com) to an IP address. This process is fundamental to how the internet works . The attacker's DNS server responds with the legitimate IP address of the attacker's server where the malicious website is hosted

• Execution of Malicious Script: The victim's browser loads the malicious website, which contains JavaScript (or other client-side scripts) designed to perform the next stage of the attack. This script's fundamental goal is to trick the browser into thinking that the attacker's hostname (example.com) should actually point to an internal network IP address so they can interact with internal network resources that would otherwise be inaccessible

• DNS Rebinding: The attacker controls their malicious hostname's DNS records and can point them to any IP address they chose using A (IPv4) and AAAA (IPv6) DNS records. In our example, the malicious script includes code that reaches out to the browser's configured DNS server again. However, by that time the attacker has changed the IP address that their DNS resolves to from the original IP address that points to example.com to an IP address within the reserved internal network ranges

• Bypassing Same-Origin Policy: At this point, the victim's computer can be further instructed to interact with the internal IP address without violating the Same-Origin Policy because as mentioned earlier the browser Same Origin Policy uses the hostname to determine what is in and out of scope and the domain name has not changed.  The browser is tricked into treating the internal resource as if it were part of the attacker's domain. This allows the malicious script to interact with internal network devices such as SOHO routers, printers, other computers on the network, and potentially even the localhost IP address 127.0.0.1, potentially interacting with services on the host computer that communicate via IP connections

• Attack Execution: The script can perform a wide range of attacks on internal network assets, such as changing settings on a router, stealing information from web services running on the internal network, or exploiting vulnerabilities in internal applications—all without the knowledge or consent of the victim

How to Mitigate the Threat of DNS Rebinding Attacks

The content outlines various mitigation strategies against DNS rebinding attacks, each with its technical explanation. These strategies represent a multi-layered approach to defending against DNS rebinding attacks, each addressing different aspects and stages of the attack but also facing its own set of limitations and challenges.

• Browser-based Mitigation: Modern browsers employ DNS pinning, keeping DNS resolution results in cache for a fixed period, ignoring the DNS TTL. This prevents attackers from changing the resolved IP address through frequent DNS requests. This method primarily blocks traditional time-varying attacks but can be bypassed by repeatedly sending requests until the cache expires or using multiple A-records attacks. Therefore, if the attacker can keep their website open in your browser long enough, the browser-based mitigation can be circumvented making it especially risky when watching long videos content on the attackers website

• DNS-based Mitigation: DNS services like OpenDNS reject DNS responses that point to private (RFC 1918) and loopback IP addresses. DNS caching solutions (Dnsmasq, Unbound) implement similar policies. Not all non-routable IP addresses are blocked, and CNAME records can be used to bypass this mitigation. False positives may block legitimate services that resolve to internal IP addresses

• Server-based Mitigation: Enabling HTTPS for private services and requiring correct domain validation for SSL certificates prevents attackers from establishing SSL connections. Authentication with strong credentials on private services adds another layer of protection. Depends on the internal services' developers, making it less scalable. Third-party applications in both home and enterprise environments pose challenges for network owners to enforce this protection

• Real-time DNS Rebinding Detection: Utilizes a sophisticated signature-based system that monitors DNS traffic to detect abnormal patterns indicative of DNS rebinding attacks. This system can identify malicious hostnames in real time and covers a wide variety of DNS rebinding attacks. High detection accuracy, prevention of false positives through the use of legitimate usage filters, and the ability to recognize attacks targeting both internal IP addresses and hostnames

Conclusion

DNS rebinding attacks exploit the domain name system (DNS) to bypass browser same-origin restrictions, allowing malicious websites to access and attack internal network resources that would otherwise be off limits. This technique manipulates DNS records to trick a victim's browser such that the attacker's domain is associated with an internal network IPs allowing unauthorized interactions with internal devices and services.

Mitigations include browser-based strategies like DNS pinning that offer initial defense layers by caching DNS information, but effective bypasses exist. DNS-based mitigations, such as filtering responses that point to private or loopback addresses, provide additional security, and Server-side defenses, including the adoption of HTTPS and strong authentication, directly protect internal services but require complex implementation. Lastly, real-time DNS rebinding detection systems are highly effective at identifying malicious DNS activity with high accuracy.

Ready to test if your organization is at risk of being targeted by a successful DNS rebinding attack? Reach out to our team today for your free, zero-obligation quote.