Blocking DNS Rebind Attacks
- Gary Leicht
In a DNS rebinding attack, the initial setup involves an attacker gaining control over a malicious DNS server that responds to queries for a specific domain. The attack progresses as the attacker uses tactics like phishing to deceive the user into visiting the malicious domain, which triggers a DNS request for the associated IP address. Initially, the attacker's server provides a legitimate IP address but sets the time-to-live (TTL) for this DNS record to one second, preventing it from being cached. Subsequently, any further DNS requests are manipulated by replacing the original IP address with one that targets a resource on the victim’s local network, such as an internal server or device.
This action effectively bypasses the same-origin policy (SOP) restrictions within the victim's browser, allowing the attacker to execute harmful actions like stealing sensitive data, disrupting business operations, or setting the stage for more extensive attacks. To combat such threats, enabling specific security settings can prevent DNS rebinding attacks. It's important to remember that DNS rebinding exploits the inherent trust browsers place in the Domain Name System, posing serious security risks if not addressed effectively.
Any public DNS request reaching Infoblox Platform that resolves to a private IP address, could be a sign of a DNS rebinding attack. If the option - "Block DNS Rebinding attacks" is enabled, Infoblox Platform would respond with "No Error - No Data" response for such DNS requests. In this scenario, Infoblox removes the private IP addresses from the responses. This may result in a NODATA response if there are no other records included in the response.
Â
Â