• SonicOS and SonicOSX 7
• Configuring DNS Settings
  • Configuring DNS for IPv4
    • Specifying which DNS Servers are Used
    • Enabling Proxy of Split DNS Servers
    • DNS Rebinding Attack Prevention
    • DNS Rebinding and Cache Lookup
    • Enabling DNS Host Name Lookup over TCP for FQDN
    • DNS Cache Lookup
  • Configuring DNS for IPv6
  • Configuring Domain-Specific DNS Servers for Split DNS
    • About Split DNS
      • About Per-Partition DNS Servers and Split DNS
    • Adding a Split DNS Server
    • Editing Split DNS Entries
    • Deleting Split DNS Entries
• Configuring Dynamic DNS
  • About Dynamic DNS
    • Supported DDNS Providers
  • Dynamic DNS Profiles
    • Configuring Dynamic DNS Profiles
    • Editing Dynamic DNS Profiles
    • Deleting Dynamic DNS Profiles
• Configuring DNS Proxy Settings
  • About DNS Proxy
    • Supported Interfaces
    • DNS Server Liveness Detection and Failover
    • DNS Cache
    • High Availability Stateful Synchronization of DNS Cache
    • DHCP Server
  • Enabling Log Settings
  • Monitoring Packets
  • Configuring DNS Proxy Settings
    • Enabling DNS Proxy
    • Configuring DNS Proxy Settings
    • Deleting Static DNS Cache Entries
    • Viewing DNS Proxy Cache Objects
    • Flushing Dynamic DNS Cache Entries
• Configuring DNS Security
  • About DNS Sinkholes
  • Configuring DNS Security Settings
  • Deleting Entries in the Lists
  • Configuring DNS Tunnel Detection
    • Configuring DNS Tunneling Detection
    • Viewing Detected Suspicious Clients
    • Creating DNS Tunnel Detection White Lists
    • Deleting DNS Tunnel Detection White List Entries
• SonicWall Support
  • About This Document

DNS Rebinding Attack Prevention

DNS rebinding is a DNS-based attack on code embedded in web pages. Normally requests from code embedded in web pages (JavaScript, Java, and Flash) are bound to the website they are originating from (see Same Origin Policy). A DNS rebinding attack can be used to improve the ability of JavaScript-based malware to penetrate private networks and subvert the browser's same-origin policy.

DNS rebinding attackers register a domain that is delegated to a DNS server they control. The server is configured to respond with a very short Time to Live (TTL) parameter, which prevents the result from being cached. The first response contains the IP address of the server hosting the malicious code. Any subsequent requests contain IP addresses from private (RFC 1918) network, presumably behind a firewall, being target of the attacker. Because both are fully valid DNS responses, they authorize the sandbox script to access hosts in a private network. By iterating addresses in these short-term but still valid DNS replies, the script is able to scan the network and perform other malicious activities.

To configure DNS rebinding attack prevention

1. Navigate to NETWORK | DNS > Settings.
2. Scroll to the DNS Rebinding Attack Prevention section.
3. Select Enable DNS Rebinding Attack Prevention. This option is not selected by default. The two options become available.
4. From the Action drop-down menu, select an action to perform when a DNS rebinding attack is detected:
   • Log Attack
   • Log Attack & Return a Query Refused Reply
   • Log Attack & Drop DNS Reply (default)

5. From the Allowed Domains drop-down menu, select an allowed domain FQDN Address Object or FQDN Address Object Group containing allowed domain-names (such as *.SonicWall.com) for which locally connected/routed subnets should be considered legal responses.

   You can also create new FQDN address objects or FQDN address object groups by selecting Create new FQDN Address Object Group… or Create new FQDN Address Object….

6. Click Accept.