Question DNS rebinding attacks

[Sampei.Nihira]

Does this new feature protects against DNS rebinding attacks?

It's not a new feature... it's the one I brought to your attention several posts ago.

 

[TairikuOkami]

@Parkinsond Thanks for one more thing, I had ControlD as a backup, but it seems that is sucked in the beginning and it still sucks now. I switched backup to AdguardDNS.

 

[Divine_Barakah]

@Parkinsond Thanks for one more thing, I had ControlD as a backup, but it seems that is sucked in the beginning and it still sucks now. I switched backup to AdguardDNS.

May I ask why not use NextDNS?

 

[Parkinsond]

It's not a new feature... it's the one I brought to your attention several posts ago.

Neowin must be wrong then.

 

[Parkinsond]

@Parkinsond Thanks for one more thing, I had ControlD as a backup, but it seems that is sucked in the beginning and it still sucks now. I switched backup to AdguardDNS.

You are always welcome

 

[Parkinsond]

May I ask why not use NextDNS?

NextDNS is great; have been using for a while.
But Adguard DNS has two advantages:
1. I can include Hagezi TIF list (not available in NextDNS, although it has its own TIF)
2. On testing for DNS rebinding vulnerablity using ControlD tool, Adguard DNS with Hagezi DNS rebind protection list included passed, while NextDNS with DNS rebinding protection option enabled did not.

 

[TairikuOkami]

May I ask why not use NextDNS?

I meant as a backup, sometimes NextDNS fails for hours, but I always had a trouble with ControlD, I blamed my tweaks, but clearly ControlD was to blame, it fails basics.

 

[Divine_Barakah]

I meant as a backup, sometimes NextDNS fails for hours, but I always had a trouble with ControlD, I blamed by tweaks, but clearly ControlD was to blame, it fails basics.

That's weird. I've been using ND for years and I don't remember it failed before.

 

[TairikuOkami]

That's weird. I've been using ND for years and I don't remember it failed before.

It happens once or twice a year, maybe during a maintenance, but still I would expect it to switch to another server. Once it lasted the whole day (PC+phone), unbearable.

 

[Divine_Barakah]

It happens once or twice a year, maybe during a maintenance, but still I would expect it to switch to another server. Once it lasted the whole day (PC+phone), unbearable.

Yes it is unacceptable.

 

[Divine_Barakah]

Now BD has added a signature for the fake Chrome Updater

Trojan.genericS.11373

God BD is so stupid. To test that BD has added a signature for the fake Chrome Updater, I unzipped the file and BD instantly detected the infected file and i receieved "disinfection in progress", but when I checked BD notifications it seems that it deleted a OneDrive registry key as a potentially unwanted lol

 

[Parkinsond]

Now BD has added a signature for the fake Chrome Updater

Trojan.genericS.11373

God BD is so stupid. To test that BD has added a signature for the fake Chrome Updater, I unzipped the file and BD instantly detected the infected file and i receieved "disinfection in progress", but when I checked BD notifications it seems that it deleted a OneDrive registry key as a potentially unwanted lol

View attachment 293500

B never fails to amaze me.

 

[Divine_Barakah]

B never fails to amaze me.

It teaches you patience lol.

 

[Miravi]

Does this new feature protects against DNS rebinding attacks?

The Network Access Protection flag has actually been enabled by default in Brave since v1.54, released July 25, 2023. They pushed forward with it well before other major Chromium browsers.

 

[Parkinsond]

The Network Access Protection flag has actually been enabled by default in Brave since v1.54, released July 25, 2023. They pushed forward with it well before other major Chromium browsers.

Seems the new is moving from being optionally enabled by flag to be enabled by default for Edge, as described on Neowin.

 

[Sampei.Nihira]

The Network Access Protection flag has actually been enabled by default in Brave since v1.54, released July 25, 2023. They pushed forward with it well before other major Chromium browsers.

Hi,
Does Brave have LNA Protection for WebSockets + WebRTC like Chrome?

 

[Sampei.Nihira]

@Parkinsond

Theoretically, a DNS rebinding attack can also occur via websocket, albeit under very specific conditions.
In the absence of a specific flag for LNA protection of websocket, you could remedy this by blocking websocket in your adblock.
However, this could cause some features on certain websites to malfunction.

If, of course, you have a certain predisposition to paranoia...

P.S.

If I remember correctly, you use uBoL.
This DNR rule blocks websocket.
Try it:

action:
  type: block
condition:
  resourceTypes:
    - websocket
---

 

[Parkinsond]

If, of course, you have a certain predisposition to paranoia...

Paranoid patients do not use MD

 

[Sampei.Nihira]

@Bot
Can you make me a table listing the specific ways in which a DNS rebinding attack could occur via websocket?

 

[Bot]

@Bot
Can you make me a table listing the specific ways in which a DNS rebinding attack could occur via websocket?

Here are the main realistic ways DNS rebinding and WebSockets can interact, under the quite strict conditions where it’s actually exploitable.

Scenario	What has to be true	How WebSocket + DNS rebinding helps the attacker	Practical notes / mitigations
1. Internal web app exposes a WebSocket control API	There is an internal site (e.g. http://intranet, http://192.168.0.10) that: accepts WebSocket connections from browsers, and exposes sensitive actions over WS (admin, file ops, queries), and trusts any host that can reach it on LAN (no strong auth / CSRF). The victim can reach that internal site from their browser. DNS for attacker.com can be rebound from a public IP to that internal IP.	Victim visits attacker.com. Attacker’s JS opens a WebSocket to wss://attacker.com. After a short TTL, DNS for attacker.com is changed to 192.168.0.10. Browser now actually connects the WebSocket handshake to 192.168.0.10, but still thinks it’s “attacker.com” origin. Internal WS API receives authenticated-looking commands from the victim’s browser context.	Require real auth on internal WS APIs (tokens, sessions, CSRF protections). Restrict admin WS interfaces to localhost only or VPN-only. Use browser-side protections like Local Network Access (LNA) / “Private Network Access” when they apply to WS.
2. Router / NAS / IoT admin panel uses WebSockets	Home router/NAS/IoT web UI: is reachable at a private IP (e.g. 192.168.1.1), and uses a WebSocket for live stats or config, and either has weak/no auth or remains logged in from same browser. DNS for attacker.com can be rebound to 192.168.1.1.	Victim is logged into the router/NAS UI in that browser. Attacker page opens WS to attacker.com. After rebinding, WS handshake hits 192.168.1.1. If the router/NAS accepts WebSocket requests based solely on source IP being “local” and existing cookies/session, attacker’s JS can call internal router APIs via WebSocket.	Don’t expose control functions over WS without strong auth. Avoid staying logged in to router/NAS UIs in normal browsing profile. Vendors should validate Origin and use CSRF tokens even on WS endpoints.
3. Local development / debugging servers with WS (devtools, frameworks, DB dashboards, etc.)	Developer tools or dashboards listen on: 0.0.0.0 or LAN IP instead of 127.0.0.1 only, and a browser-allowed port, and accept WebSocket connections without strong auth. User browses the web from same machine. DNS rebinding used to point attacker.com → that dev server’s LAN IP.	As above: attacker page triggers WS to attacker.com. After rebinding, handshake is sent to local dev server. If dev server trusts “local network” and offers privileged actions (e.g. DB operations, file access), attacker can drive it from JS over WS.	Bind dev/debug servers to 127.0.0.1 only. Require authentication/tokens for local dashboards. Use separate browser profile (or device/VM) for untrusted browsing vs. development.
4. Internal apps using WS as a “thin RPC layer” over HTTP	An internal business app: uses WebSockets for its main API (JSON-RPC, custom protocol), and relies on network location (intranet only) instead of strong per-user auth for some actions. DNS rebinding can map attacker.com to the app’s host/IP.	After rebinding, the WS connection from attacker.com terminates on the internal app. App sees a normal WS client from a LAN IP and performs actions on behalf of the victim’s browser session. Attacker can invoke internal RPC operations via crafted WS frames.	Never rely purely on “intranet only” for critical actions. Require user auth, roles and per‑request checks even on WS APIs. Limit internal WS endpoints by firewall/VPN, not just DNS/hostname.
5. Legacy / misconfigured services that interpret WS handshake as HTTP	A legacy internal service: doesn’t fully implement WS, but parses the initial HTTP Upgrade request enough to trigger side-effects (e.g. a buggy HTTP parser / proxy / gateway). Service is reachable only from LAN, and DNS rebinding points attacker.com there.	The WS handshake is still just an HTTP request first. If a buggy internal service does something dangerous based on that request (even if the upgrade fails), attacker can trigger it from rebinding. Actual WS frames may not even be needed – the HTTP Upgrade request itself can be the “payload”.	Patch or retire legacy HTTP services on internal networks. Apply strict input validation on internal HTTP/WS gateways. Restrict exposure of internal HTTP services via firewall.

Key points

• For WebSocket-based DNS rebinding to be practical, you usually need:
  • a reachable internal service that actually speaks WebSocket (or mishandles its handshake), and
  • weak/no authentication or trust based only on “it’s coming from the LAN”, and
  • a browser that will complete the WS handshake to a private IP after DNS rebinding (this is exactly what LNA/Private Network Access aims to restrict).
• In most typical home-user setups, this is more theoretical than everyday, unless your router/NAS or some internal app exposes WS-based admin endpoints without proper auth.

If you want, I can also map these scenarios specifically to how Chrome’s LNA / Edge’s equivalent should limit them, and what gaps might remain for WS compared to plain HTTP(S).