In a DNS rebinding attack, the initial setup involves an attacker gaining control over a malicious DNS server that responds to queries for a specific domain. The attack progresses as the attacker uses phishing and other tactics to deceive the user into visiting the malicious domain, which triggers a DNS request for the associated IP address. Initially, the attacker's server provides a legitimate IP address but sets the time-to-live (TTL) for this DNS record to one second, preventing it from being cached.
Subsequently, any further DNS requests are manipulated by replacing the original IP address with one that targets a resource on the victim’s local network, such as an internal server or device. This action effectively bypasses the same-origin policy (SOP) restrictions within the victim's browser, allowing the attacker to execute harmful actions like stealing sensitive data, disrupting business operations, and setting the stage for more extensive attacks. To combat such threats, enabling specific security settings can prevent DNS rebinding attacks. It is important to remember that DNS rebinding exploits the inherent trust browsers place in the Domain Name System and poses serious security risks if not addressed effectively.
Any public DNS request that reaches Infoblox Platform and resolves to a private IP address could be a sign of a DNS rebinding attack. If the option Block DNS Rebinding attacks is enabled, Infoblox Platform will respond with "No Error - No Data" for such DNS requests, and Infoblox will remove the private IP addresses from the responses. This may result in a NODATA response if there are no other records included in the response.
Informed the SA about “private-ip” which does not have a Threat Class assigned and the "Block DNS Rebinding Attacks" option that blocks them.
Logging "Private-IP" in Security Activity Reports
Please note the following regarding "Private-IP" in Security Activity reports:
"Private-IP" does not have a threat class assigned to it in the Security Activity report.
The Block DNS Rebinding Attacks option is not available for blocking "Private-IP.