Avoiding DNS Rebinding Attacks

I’ve talked about the benefits of the OpenDNS system as an alternative way of connecting to websites rather than using your ISP’s DNS servers. It offers built-in phishing protection, filtering (adult content, for example), it can automatically correct URL typos you make in the address bar, and allows you to create shortcuts you can use across your network of computers rather than having to duplicate them from browser to browser.

Now, OpenDNS has addressed another important security issue, so-called DNS Rebinding. A DNS rebinding attack involves an attacker registering a domain which is delegated to a DNS server they control. The server is configured to respond with a very short time-to-live (TTL) parameter set which prevents the response from being cached. Such an attack can be used to subvert the same-origin policy and convert your browser into an open network proxy.

The resulting mayhem means your firewall is breached and hackers can get direct access to internal documents and services. With less than $100 a cyber-crook could temporarily hijack 100,000 internet (IP) addresses to send their on spam, phish, and to defraud pay-per-click advertisers by turning your browser into an ad-clicking bot. OpenDNS explains the issue:

Suspicious responses are DNS replies that contain data that might be malicious or otherwise unwanted. Unlike the rest of our filtering features, which filter based on the domain being looked up, these tools filter based on the contents of the reply.

By enabling the filter to block internal IP addresses listed in RFC1918, the system can prevent such DNS Rebinding attacks. For example, if badstuff.attacker.com points to 192.168.1.1 (which should be an internal address on your network), the option would filter out the response. Making you all safe and sound once again.