2

I'm looking into protecting against DNS rebinding attacks in-depth. Naturally, using HTTPS and making sure anything else validates the Host header does a good job at protecting from DNS rebinding attacks, but I really feel this is something that could be stopped at the door, so to speak.

For those who are not aware, a simple DNS rebinding attack is when a DNS server returns two records for a domain, one legit external IP and one internal IP (there are more advanced attacks). Using a couple of tricks you can get the browser to send internal HTTP requests and exfiltrate the responses.

I would have expected that filtering out internal IPs from external DNS responses should already be a default, or at least something that can be done. But I've googled extensively and can't find any info on configuring this with Windows DNS Server.

It seems other DNS servers, like BIND, handle this readily.

Is there anyway I can filter out or block external DNS responses that contain an internal IP address using Microsoft DNS?

(ps: I'm new here, if this isn't the appropriate stack site for this question please let me know).

mzhaase
  • 3,778
  • 2
  • 19
  • 32
Juicy
  • 169
  • 5

1 Answers1

1

The closest thing in Windows (w/o 3rd-party) is DNS filters, but it will be available only in server 2016.

You can either turn to 3rd-party DNS servers, as you suggested, or use some detection method instead.

EliadTech
  • 1,230
  • 9
  • 14
  • Thanks for the answer! I've taken a look at the new filter issues for 2016, but can't see the filter rules that you would use in this case to filter out these attacks? Do you have any insights? – Juicy Sep 26 '16 at 14:07
  • You're welcome. As I said, it's the closest that Microsoft has to offer. But it's the technical view, maybe in the production version they'll add such functionality. 3rd-party seem your only option at the moment. – EliadTech Sep 26 '16 at 15:03