Rebind protection is applied to a DNS query after it has been processed by all the security policy rules in the security policy. This means that if you need to allow legitimate public DNS queries to an FQDN that resolves to RFC1918 IP addresses, you can add that FQDN to a custom list and add the custom list to the security policy with an action of Allow - No Log. This permits the query to resolve without creating any security event log. You can set the security policy rule to Allow - With Log if you require a security event log. For example, dns.msftncsi.comis a domain used by Microsoft Windows 10 and later for network connectivity testing. It resolves to a public IPv4 address but a private IPv6 address and thus can produce a very large number of security events if Rebind protection is enabled.
In a DNS rebinding attack, the initial setup involves an attacker gaining control over a malicious DNS server that responds to queries for a specific domain. The attack progresses as the attacker uses phishing and other tactics to deceive the user into visiting the malicious domain, which triggers a DNS request for the associated IP address. Initially, the attacker's server provides a legitimate IP address but sets the time-to-live (TTL) for this DNS record to one second, preventing it from being cached.
...