DNS Rebinding Attacks Explained

A lot of people have questions about the concept of DNS Rebinding attacks, and many of the overviews dive too deep into the details. Here’s a simple explanation that should help those having trouble getting it.

DNS Rebinding lets you send commands to systems behind a victim’s firewall, as long as they’ve somehow come to a domain you own asking for a resource, and you’re able to run JavaScript in their browser.

Here’s how it works.

1. If you can get someone to make a request to a domain that you own, you can give them a DNS response that maps host.domain to an IP address—say, 1.2.3.4.

2. If you set the TTL of that response really low—like 10 seconds—you force the system to constantly check again to see what the IP is for host.domain.

3. If you know (or think) the victim has a given type of system on their internal network—like a router, or an IoT device—that you could control if you were on the same network, you can use a piece of malicious JavaScript running on their browser (because they came to your site) to make requests to that system, e.g., https://host.domain/set-dns-server?server=6.7.8.9.

4. When this command is first sent, it’ll be sent to IP 1.2.3.4, because that was the initial IP address that you sent the victim for host.domain.

5. When the client next updates the DNS record (in 10 seconds, because that’s what you set the TTL to), you then respond back with 192.168.1.1, so the victim’s browser then sends https://host.domain/set-dns-server?server=6.7.8.9 to 192.168.1.1!

6. If the router is vulnerable to what you send (perhaps using default credentials or no credentials at all), it will update the DNS server of that router to point to the bad guy, which is probably you again.

7. Repeat as desired to find the right IP internally, and/or to send different kinds of commands to different devices internally.

They don’t need to redirect to an internal IP, and could just as easily send you somewhere else on the internet to bypass the Same Origin Policy.

Basically, you have them request something from you, you give them take a short-TTL name-to-IP mapping, you inject some JavaScript in their browser that makes malicious requests, and then you change the IP via DNS update on your side to point to all the target IPs behind their firewall.

It reminds me of what I speculated about in 2016, where one might use SSRF to do the same thing to exposed IoT device services.

What makes DNS Rebinding so interesting is that it takes advantage of two major features in the fundamental structure of the internet—which aren’t changing any time soon:

1. The fact that visiting browsers run your JavaScript by default (including things like BeEF hooks), and…

2. The ability to set low TTLs on DNS responses so that you can constantly rotate the mapped IPs

Defenses

Because the attack takes advantage of these fundamental components of the internet, the defenses are non-trivial. They generally include:

1. Restrict the running of JavaScript (so the attacker can’t force requests).

2. Pinning IPs to names (so they can’t rotate).

3. Don’t accept TTLs below a certain size (so they can’t rotate).

4. Don’t accept DNS responses (for external domains) with private addresses (so they can’t rotate to internal resources).

5. Likely others as well…

Stay safe out there.

Notes

1. Image from Dark Web News.

2. The Wikipedia article on DNS Rebinding.

Related posts:

1. DNS Servers That Offer Privacy and Filtering

2. Why Aspiring Influencers Should Build Their Brands on Their Own Domains

3. So You Want to Start a Blog…

4. A Simple Explanation of the Differences Between Meltdown and Spectre