My head is spinning,can someone give me a simple solution that will not bonk my computer? I'm getting parioid (for no reason maybe)
DNS rebinding attacks
- Thread starter Parkinsond
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
Me too.
All I want to know, if using reputable dns provider, but not providing dns rebinding protection, am I too vulnerable?
@Dave Russo
@Parkinsond
You can be less vulnerable if you block third-party scripts.
It is assumed that blocking third-party iframes, which breaks very few websites, can also mitigate this type of attack.
Enabling certain flags in Chromium browsers also mitigates this type of attack:
Enabling LNA in browsers also mitigates this attack:
The DNS pinning feature in browsers can also mitigate this attack...
So, as usual, there are a number of good security practices that mitigate the various dangers.
@Parkinsond
You can be less vulnerable if you block third-party scripts.
It is assumed that blocking third-party iframes, which breaks very few websites, can also mitigate this type of attack.
Enabling certain flags in Chromium browsers also mitigates this type of attack:
- Strict-Origin-Isolation
- Bind cookies to their setting origin's port
- Bind cookies to their setting origin's scheme
- Storage Access API follows Same Origin Policy
Enabling LNA in browsers also mitigates this attack:
- Local Network Access Checks (enabled -blocking)
- Local Network Access Checks for WebRTC
- Local Network Access Checks for WebSockets
The DNS pinning feature in browsers can also mitigate this attack...
So, as usual, there are a number of good security practices that mitigate the various dangers.
Last edited:
As somebody said earlier in the thread, google dns protects against this attack.( 8.8.8.8, 8.8.4.4,. DOH: dns.google/dns-query )
Using Cloudflare Zero Trust, I thought I explicitly set up DNS rebinding protection with a policy blocking private IP address traffic. I fail the ControlD test in both Brave and Firefox. 
I don't know how definitive this test is, but I can try playing around with things later.
I don't know how definitive this test is, but I can try playing around with things later.
Even ControlD own free dns fails their test; only NextDNS and AdGuard DNS were able to pass.Using Cloudflare Zero Trust, I thought I explicitly set up DNS rebinding protection with a policy blocking private IP address traffic. I fail the ControlD test in both Brave and Firefox.
I don't know how definitive this test is, but I can try playing around with things later.
I'm using Cloudfare as my DNS and passed the test Dave.
I looked a little more into it, and people do report false positives from the timing/latency sensitivity of the test's methodology, even with verifiable DNS rebinding protection enabled. It's simple, but it isn't a bulletproof test.
That's not to say my network security is impeccable, though. Cloudflare's DNS does not include rebinding protection by default—I wanted to fix that in my Zero Trust configuration.
That's what I thought too; everytime the test declares vulnerability, it shows the figure of response variability in seconds, which apparently what it relies on mostly.
Add https:// in front, so https://dns.google/dns-query
I don't know how useful it is, but I remember once having a false positive due to it while downloading a torrent, but the wrong blocking wasn't any issue for me.
Currently my router has DNS rebinding protection.
The DNS on my PC is different from my router DNS, so I think the router setting didn't have any effect. I also checked the system log on the router and didn't see anything of that nature being blocked. So, not sure how I passed the test
In this case, chrome.exe itself will be seen querying remote port 53. Chromium browsers use their own internal DNS resolver library, so we see chrome.exe/edge.exe/etc. making the connection.
In case of Firefox, we don't see firefox.exe using remote port 53 likely because Firefox don't use/have their internal DNS resolver library. The system OS itself queries the domain for Firefox like any other program which let Firefox know that the IP address of something like,
Currently my router has DNS rebinding protection.
Also using Zero Trust and have the same private IP address blocking policy enabled. But according to the logs, they were not blocked. But in the test site, I passed the test.Using Cloudflare Zero Trust, I thought I explicitly set up DNS rebinding protection with a policy blocking private IP address traffic. I fail the ControlD test in both Brave and Firefox.
I don't know how definitive this test is, but I can try playing around with things later.
The DNS on my PC is different from my router DNS, so I think the router setting didn't have any effect. I also checked the system log on the router and didn't see anything of that nature being blocked. So, not sure how I passed the test
As I said in a different thread, this is not an unencrypted DNS leak. Chromium browsers need to know the IP address of your DoH provider. It resolves the IP address by using the system DNS by querying it over plain DNS, bypassing the browser DNS. It is a normal behavior.
In this case, chrome.exe itself will be seen querying remote port 53. Chromium browsers use their own internal DNS resolver library, so we see chrome.exe/edge.exe/etc. making the connection.
In case of Firefox, we don't see firefox.exe using remote port 53 likely because Firefox don't use/have their internal DNS resolver library. The system OS itself queries the domain for Firefox like any other program which let Firefox know that the IP address of something like,
https://dns.google/dns-query is 8.8.8.8 and 8.8.4.4
Controld D's own filter is basic, a simple filter that avoids issues and false positives. Use Control D with Hagezi and DoT and you will pass the test.
Cannot use DOT, but tried the different Hagezi profiles of ControlD free, in addition to the native profile; all could not pass the test.
Also tried different reputable, free public dns providers on DOH, such as Google, Cloudflare, and Quad9, the same result.
Anybody thought about what I said earlier? Maybe the protection is not related to ControlD but rather to your router which already has DNS Rebinding Protection enabled. @Parkinsond said his router probably doesn't have that feature enabled. So you guys should check wether it's enabled in your router settings and do the test with ControlD again with the router protection disabled.
You clearly have issues with your web browser. Have you tried to test in Firefox Portable, or system-wide as I asked you to do so?
If we're passing the test using various DNS servers, and you fail, that's issue on your end.
I have DNS Rebind Protection disabled, but I have AI Protection, maybe it's related. Or maybe it's the browser/extensions.
If you get this Edge, you'll get it in Chrome, Brave, Opera, Vivaldi, SRWare Iron, Ungoogled Chromium and other Chromium based browsers; no need to install any of them. This is why I specifically mentioned Firefox as it's completely different and DoH works in a different way. I know you hate it, but unless you're willing to test, we will never find out what is causing the issue for you. But one thing is certain—it's problem on your side, certainly not on DNS server side.
Or just use ControlD Setup Utility to make ControlD system-wide and see if it passes the test. If doesn't then it's most likely something wrong with your Windows installation.
You may also like...
-
-
-
-
Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers- Started by Parkinsond
- Replies: 10
-
