A lot of people have questions about the concept of DNS Rebinding attacks, and many of the overviews dive too deep into the details. Here’s a simple explanation that should help those having trouble getting it.
Here’s how it works.
- If you can get someone to make a request to a domain that you own, you can give them a DNS response that maps
host.domainto an IP address—say,
- If you set the TTL of that response really low—like 10 seconds—you force the system to constantly check again to see what the IP is for
- When this command is first sent, it’ll be sent to IP 126.96.36.199, because that was the initial IP address that you sent the victim for host.domain.
- When the client next updates the DNS record (in 10 seconds, because that’s what you set the TTL to), you then respond back with
192.168.1.1, so the victim’s browser then sends
- If the router is vulnerable to what you send (perhaps using default credentials or no credentials at all), it will update the DNS server of that router to point to the bad guy, which is probably you again.
- Repeat as desired to find the right IP internally, and/or to send different kinds of commands to different devices internally.
They don’t need to redirect to an internal IP, and could just as easily send you somewhere else on the internet to bypass the Same Origin Policy.
Basically, you have them request something from you, you give them take a short-TTL
It reminds me of what I speculated about in 2016, where one might use SSRF to do the same thing to exposed IoT device services.
What makes DNS Rebinding so interesting is that it takes advantage of two major features in the fundamental structure of the internet—which aren’t changing any time soon:
- The ability to set low TTLs on DNS responses so that you can constantly rotate the mapped IPs
Because the attack takes advantage of these fundamental components of the internet, the defenses are non-trivial. They generally include:
- Pinning IPs to names (so they can’t rotate).
- Don’t accept TTLs below a certain size (so they can’t rotate).
- Don’t accept DNS responses (for external domains) with private addresses (so they can’t rotate to internal resources).
- Likely others as well…
Stay safe out there.
- Image from Dark Web News.
- The Wikipedia article on DNS Rebinding.