Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.
DNS rebinding is a type of cyberattack that leverages the Domain Name System (DNS) to run malicious JavaScript and attack devices on a user’s private network. In a DNS rebinding attack, hackers trick the victim’s browser into running a client-side script that attacks machines on the victim’s private network that are not exposed to the public internet. These attacks also establish communication between the attacker’s server and a web application on the victim’s network, typically for running malware or facilitating other malicious acts.
What is DNS?
As the phone book of the internet, the Domain Name System is essential to enabling users, devices, and applications to quickly load web pages or contact other computers. DNS services translate human-readable domain names like example.com into machine-usable IP addresses like 2600:1401:4000:5b1::b63. Without DNS, users would need to remember long strings of numbers every time they wanted to navigate to a website.
How does DNS work?
When a user enters the name of the website into a browser or clicks on a link, a DNS query (or DNS request) is created to identify the corresponding IP address. The request goes first to a DNS nameserver called a recursive server or resolver, which may resolve the request by pulling DNS information from data stored in cache based on responses to previous requests. If the records are not stored in the DNS cache, the DNS resolver forwards the request to other nameservers and eventually to an authoritative DNS server that holds the official DNS record for the domain. Once the recursive server locates the information, it forwards the DNS response and IP address to the user’s device, which accurately loads the appropriate web page or resource.
Why do attackers target DNS?
The DNS system has been a frequent target of attacks for three simple reasons: It is involved in nearly every aspect of web activity, it has no built-in security measures, and DNS traffic is generally allowed to flow through firewalls without inspection.
How does DNS rebinding work?
DNS rebinding attacks are designed to work around the restrictions of the same-origin policy (SOP). This browser security feature prevents websites loaded from one origin from interacting or making requests to resources from another origin without explicit permission. For example, if a user clicks on a malicious link on a website, the SOP prevents the malicious web page from making an HTTP request to the user’s bank website and using a logged-in session to drain the funds from a savings account.
In a DNS rebinding attack, attackers first take control of a malicious DNS server that answers queries for a certain domain, for example, example.com. The attacker then uses techniques like phishing to trick the user into loading the malicious domain in their browser, making a DNS request for the IP address of example.com. The attacker’s server initially responds with example.com’s real IP address, but sets the time-to-live (TTL) value to one second so that the DNS record will not remain in cache for long. On subsequent requests for DNS records, the attacker substitutes an IP address for a resource within the victim’s own local network, circumventing SOP restrictions and allowing the attacker to execute malicious activations on the browser. DNS rebinding attacks may be used to exfiltrate sensitive information, disrupt businesses, perform unauthorized actions, or lay the groundwork for larger attacks.
What’s the most effective DNS rebind protection?
To improve cybersecurity and achieve DNS rebinding protection, IT and security teams can:
- Restrict the running of JavaScript so that attackers can’t force requests.
- Use DNS pinning to force browsers to cache the DNS resolution results for a fixed period of time regardless of the TTL value within DNS records. This prevents malicious websites from rebinding host names by making repeated DNS requests within a short period of time.
- Implement HTTPS communication on all private services. Since the HTTPS handshake requires the correct domain to validate the SSL certificate, the attacking scripts won’t be able to establish SSL connections to target services during a rebinding attack.
- Choose a DNS security provider that offers real-time protection by enforcing sophisticated signatures that recognize abnormal DNS query patterns and capture the indicators of compromise (IOCs) of known rebinding attacks.