Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated April 19)
Muddled Libra’s Evolution to the Cloud
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Network Security

What Is DNS Rebinding?

4 min. read

DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.

DNS rebinding establishes communication between the attacker’s server and a web application on an internal network through a browser. To explain how this works, let’s first look at two concepts: same-origin policy (SOP) and time to live (TTL).

Related Video

How Attackers Use DNS to Steal Your Data

What Is Same-Origin Policy (SOP)?

Web browsers use the same-origin policy as a defense mechanism to restrict how websites from one origin can interact with other origins. The origin of a website is defined by the protocol (e.g., http://), domain (e.g., paloaltonetworks.com), and port (e.g., :80). For example, URLs A and B have the same origin, but URL C has a different origin.

  • A: http://www[.]yourname[.]com/index[.]html

  • B: http://www[.]yourname[.]com/news[.]html

  • C: https:///www[.]yourname[.]com/index[.]html (different protocol)

Websites with the same-origin policy restrict cross-policy interactions. Code (e.g., JavaScript) that originates from http://www[.]badactor[.]com/home.html and sends an HTTP request to http://www[.]yourname[.]com/news[.]html will be restricted. 

What Is Time to Live (TTL)?

In a DNS system, time to live defines the amount of time in seconds that a record can be cached before a web server will re-query the DNS name server for a response. For example, a 300-second TLL keeps records for five minutes. After that, the records become stale and will not be used. TTL is usually set by the authoritative name server of a domain.

How a DNS Rebinding Attack Bypasses the Same-Origin Policy

The goal of the DNS rebinding attack is to bypass the restrictions of the SOP. The attackers register the domain http://www[.]badactor[.]com and delegate it to a DNS server they control. Company Yourname Inc. hosts its intranet behind a firewall. Employees of Yourname Inc. can access an application on a company’s web server, whose IP is 60.6.6.60. Let’s assume an employee of Yourname Inc. is surfing the internet from a laptop or tablet inside the company’s network and clicks on www[.]badactor[.]com.

The DNS server controlled by the bad actor sends the correct IP address to the employee’s request but with a very short TTL to prevent the response from being cached. Remember, it’s the DNS server that sets the TTL policy. The employee’s browser downloads the page containing malicious code that binds the local IP address to the attacker’s DNS server. The domain www[.]badactor[.]com now points to 60.6.6.60, and because this IP is of the same origin, the attacker’s code can exfiltrate the company’s information and sensitive data. 

The best mitigation against DNS rebinding attacks is at the DNS layer. To learn more, visit https://www.paloaltonetworks.com/network-security/dns-security.html.

 

Related content

  • What is DNS?

    The domain name system (DNS) is a naming database which locates internet domain names and translates them into Internet Protocol (IP) addresses.

  • See the top DNS-Based attacks you should know about

    Learn how Palo Alto Networks DNS Security service protects your organization from the latest and most sophisticated DNS-layer threats.

  • See Palo Alto Networks DNS Security

    DNS Security uses inline deep learning to provide 40% more DNS-layer threat coverage and disrupt 85% of malware that abuses DNS for malicious activity.

  • Protect your DNS traffic against threats

    Get insight into how to regain control of your DNS traffic and learn best practicies to to stop threat actors from using DNS to attack your organization.

Get the latest news, invites to events, and threat alerts

Popular Resources

Legal Notices

Popular Links

Report a Vulnerability