-
Notifications
You must be signed in to change notification settings - Fork 138
Protection Bypasses
There are products and services advertising that they provide complete solutions and protections against DNS rebinding attacks. Singularity can bypass all known DNS rebinding protections. This page explains how common DNS rebinding protections work and how you can use Singularity to bypass these protection mechanisms.
Most DNS protections are implemented in the form of blocking DNS responses containing unwanted IP addresses at the perimeter, when DNS responses enter the internal network. The most common form of protection is to block private IP addresses as defined in RFC 1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Some tools allow to additionally block localhost (127.0.0.0/8), local (internal) networks, or 0.0.0.0/0 network ranges.
The Dnsmasq and Unbound open source DNS servers are very popular and are used in many widely used applications such as the pfSense firewall, the OpenWRT embedded operating system, and some home routers from FRITZ!Box or ASUS. There are also free DNS services such as Cisco’s OpenDNS which has a setting to block internal IP addresses. Most tools tools or services that try to block DNS rebinding attacks do not enable it by default. Only pfSense and Google Home seem to enable it by default.
Dnsmasq has a configuration setting that rejects private IP ranges (--stop-dns-rebind).
This blocks RFC1918 addresses, 0.0.0.0/8, and 127.0.0.0/8.
This does not block ‘localhost’.
This setting is not enabled by default.
Unbound has a configuration parameter called private-address to configure specific internal IP address range to be blocked.
This does not block 0.0.0.0, 127.0.0.1, and localhost.
No private addresses are enabled by default.
We can use the IP address 0.0.0.0 to access the localhost (127.0.0.1) to bypass filters blocking DNS responses containing 127.0.0.1 or 127.0.0.0/8.
According to Wikipedia, “0.0.0.0 is a non-routable meta-address used to designate an invalid, unknown or non-applicable target”. In fact, 0.0.0.0 works well on Linux and macOS to access the localhost. This bypasses protections that block DNS responses containing the IP address of 127.0.0.1.
This is how we can use Singularity to rebind to the 0.0.0.0 IP address:
$ dig s-1.2.3.4-0.0.0.0-474794-fs-e.d.rebind.it
;; QUESTION SECTION:
;s-1.2.3.4-0.0.0.0-474794-fs-e.d.rebind.it. IN A
;; ANSWER SECTION:
s-1.2.3.4-0.0.0.0-474794-fs-e.d.rebind.it. 0 IN A 0.0.0.0
Note: At some point Chrome removed support for 0.0.0.0 and then re-introduced it: https://bugs.chromium.org/p/chromium/issues/detail?id=428046
What if the DNS protection solution blocks all internal IP addresses? We can use DNS CNAME records to bypass filters blocking DNS responses containing private IP addresses. Canonical Name records (CNAME) map one domain name to another domain. Singularity can return a CNAME DNS record instead of an internal IP address (e.g. wiki.nccgroup.com or jenkins.internal.corp.com). This bypasses protections that block DNS responses containing private IP addresses. The local, internal DNS server will then resolve the CNAME.
This is how we can use Singularity to rebind to a CNAME:
$ dig s-1.2.3.4-wiki.nccgroup.com-123-fs-e.d.rebind.it
;; QUESTION SECTION:
;s-1.2.3.4-wiki.nccgroup.com-123-fs-e.d.rebind.it. IN A
;; ANSWER SECTION:
s-1.2.3.4-wiki.nccgroup.com-123-fs-e.d.rebind.it. 9 IN CNAME wiki.nccgroup.com.
The third bypass technique is a variation of bypass #2. We can use “localhost” as a DNS CNAME record to bypass filters blocking DNS responses containing 127.0.0.1. This was successfully tested on Firefox and Chrome on Linux and macOS. localhost is a hostname that means this computer.
This is how we can use Singularity to rebind to the localhost CNAME:
$ dig s-1.2.3.4-localhost-123-fs-e.d.rebind.it
;; QUESTION SECTION:
;s-1.2.3.4-localhost-123-fs-e.d.rebind.it. IN A
;; ANSWER SECTION:
s-1.2.3.4-localhost-123-fs-e.d.rebind.it. 0 IN CNAME localhost.