In a DNS rebinding attack, the attacker first gains control of initial setup involves an attacker gaining control over a malicious DNS server . This server that responds to queries for a specific domain. The attacker then employs tactics like phishing attack progresses as the attacker uses phishing and other tactics to deceive the user into visiting the malicious domain in their browser, which triggers a DNS request for the associated IP address. Initially, the attacker's server provides the correct a legitimate IP address , but it sets a very short the time-to-live (TTL) of one second for the this DNS record to one second, ensuring it doesn't stay in the cache for long. For preventing it from being cached.
Subsequently, any further DNS requests , the attacker swaps in an are manipulated by replacing the original IP address with one that points to targets a resource on the victim’s local network, such as an internal server or device. This action effectively bypasses the same-origin policy (SOP) restrictions , enabling within the victim's browser, allowing the attacker to carry out execute harmful actions within the browser. DNS rebinding attacks can be used to steal like stealing sensitive data, disrupt disrupting business operations, perform unauthorized activities, or set and setting the stage for more extensive attacks. Enabling certain To combat such threats, enabling specific security settings can prevent DNS rebinding attacks. It is important to remember that DNS rebinding exploits the inherent trust browsers place in the Domain Name System and poses serious security risks if not addressed effectively.
Any public DNS request that reaches Infoblox Platform and resolves to a private IP address could be a sign of a DNS rebinding attack. If the option Block DNS Rebinding attacks is enabled, Infoblox Platform will respond with "No Error - No Data" for such DNS requests, and Infoblox will remove the private IP addresses from the responses. This may result in a NODATA response if there are no other records included in the response.
Note: When the "Block DNS Rebinding Attacks" option is enabled in a security policy and it blocks a DNS response with a private IP, the security log in the Infoblox Security Activity report will mark the query as being blocked by the threat feed "private-ip", threat class "Policy," and threat property "Rebind" and action "Redirect".