What Is DNS Rebinding?
DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.
DNS rebinding establishes communication between the attacker’s server and a web application on an internal network through a browser. To explain how this works, let’s first look at two concepts: same-origin policy (SOP) and time to live (TTL).
How Attackers Use DNS to Steal Your Data
What Is Same-Origin Policy (SOP)?
Web browsers use the same-origin policy as a defense mechanism to restrict how websites from one origin can interact with other origins. The origin of a website is defined by the protocol (e.g., http://), domain (e.g., paloaltonetworks.com), and port (e.g., :80). For example, URLs A and B have the same origin, but URL C has a different origin.
C: https:///www[.]yourname[.]com/index[.]html (different protocol)
What Is Time to Live (TTL)?
In a DNS system, time to live defines the amount of time in seconds that a record can be cached before a web server will re-query the DNS name server for a response. For example, a 300-second TLL keeps records for five minutes. After that, the records become stale and will not be used. TTL is usually set by the authoritative name server of a domain.
How a DNS Rebinding Attack Bypasses the Same-Origin Policy
The goal of the DNS rebinding attack is to bypass the restrictions of the SOP. The attackers register the domain http://www[.]badactor[.]com and delegate it to a DNS server they control. Company Yourname Inc. hosts its intranet behind a firewall. Employees of Yourname Inc. can access an application on a company’s web server, whose IP is 220.127.116.11. Let’s assume an employee of Yourname Inc. is surfing the internet from a laptop or tablet inside the company’s network and clicks on www[.]badactor[.]com.
The DNS server controlled by the bad actor sends the correct IP address to the employee’s request but with a very short TTL to prevent the response from being cached. Remember, it’s the DNS server that sets the TTL policy. The employee’s browser downloads the page containing malicious code that binds the local IP address to the attacker’s DNS server. The domain www[.]badactor[.]com now points to 18.104.22.168, and because this IP is of the same origin, the attacker’s code can exfiltrate the company’s information and sensitive data.
The best mitigation against DNS rebinding attacks is at the DNS layer. To learn more, visit https://www.paloaltonetworks.com/network-security/dns-security.html.