On my Flint I have DNS Rebinding Attack Protection enabled.
I’m looking for an explanation of why I would want to enable this, or possible disable it?
What exactly is the problem with DNS Rebinding?
I get that it’s a threat vector that hackers use, but I’m not sure I understand why I get the error message now and what it means.
Since I moved my DNS from Adguard on the Flint onto an Adguard server running on my Raspberry Pi I get DNS rebinding attack messages in my Flint’s log.
DNS Rebinding Attack Protection is an important security measure designed to protect devices on your network from a specific type of cyber attack known as DNS rebinding. Understanding why you might want to enable or disable this feature involves a brief overview of what DNS rebinding is and how it works, along with its potential implications for your network security.
What is DNS Rebinding?
DNS rebinding is a form of cyber attack that exploits the way web browsers and other client applications trust DNS responses to bypass the same-origin policy (SOP). The SOP is a critical security mechanism that prevents a script running on one web page from accessing data or code on another web page without permission, effectively isolating different websites from each other for security purposes.
In a DNS rebinding attack, an attacker tricks a victim’s browser into making a request to a malicious website, which initially resolves to the attacker’s server. Subsequently, the DNS record is changed to point to the IP address of a target device within the victim’s local network (such as routers, webcams, or other IoT devices). The browser, still considering the request as being directed to the original site, allows the script to access and potentially control the target device.
Reasons to Enable DNS Rebinding Attack Protection
Protect Internal Network Devices: Many devices within a local network have web interfaces that are only intended to be accessed internally. DNS rebinding can be used to bypass network firewalls and access these devices from the outside.
Prevent Data Exfiltration: By gaining control over internal devices, attackers can steal sensitive information, including personal data, login credentials, or financial information stored on your network.
Block Unauthorized Control: DNS rebinding can allow attackers to gain unauthorized control over devices on your network, potentially adjusting settings, disabling security measures, or using the devices as part of a botnet.
Reasons to Disable DNS Rebinding Attack Protection
Network Compatibility: In some rare cases, legitimate network requests or configurations might be mistakenly blocked by DNS Rebinding Attack Protection due to strict policies, leading to network issues or disruptions in service.
Specialized Network Configurations: Advanced users or organizations with specific network setups and security measures might find DNS Rebinding Attack Protection redundant or conflicting with other security protocols they have in place.
Performance Considerations: While generally minimal, the performance impact of DNS Rebinding Attack Protection checks could be a concern in highly optimized or sensitive environments.
Conclusion
For most users and networks, enabling DNS Rebinding Attack Protection is highly recommended as it provides a critical layer of security against a sophisticated type of attack that targets devices within your local network. Unless there’s a specific, informed reason related to compatibility or network configuration, the benefits of protection outweigh the potential downsides. If you’re experiencing network issues with this protection enabled, ensure that your devices and applications are updated and configured correctly before considering disabling it.
Yeah thanks Admon I already did check ChatGPT (learning from your earlier post about my other log) and also looked at other sites about DNS rebinding.
But it does not explain why I suddenly see rebinding attaching in my log after moving to a local lan based adguard home, nor why I should or should not have it enabled on the Flint.
It’s just says it’s a “highly recommended” best practice.
Why can’t I just turn it off. I mean is Amazon REALLY attacking me?
Lets say a external ip tries to connect to you as a local subnet ip you often get this message because it is discarded because it sees it as a bogus ip or well more technically speaking it tries to override your dhcp/dns origin, also isps have local ips, and these should never talk to you and this mechanism prevents that.
Now in your case this could be related of using adguard or pihole then you have nothing to worry about if it was blocked the origin was changed to a local ip thus causing the origin mismatch, even with vpns this can sometimes happen.
Sometimes a device just uses it to reference itself as a reverse domain but intended for local use, but the dhcp server sees the origin mismatch and block it as rebind attack, again a false positive
Tbh, aslong wan firewall zone is correctly setup only local devices would create such issue from device → isp and not isp → device, i won’t call it super dangerously to turn it off, i only would consider to advise to do not in public areas , well aslong it is possible, with things like captive portals you have no other option than disabling it.
Also it depends how recent the OpenWrt part is, but in luci inside the dhcp settings you can whitelist certain domains for rebind protection , and in the future it may or may not get added inside the gl ui, its still in the research.
, well aslong it is possible, with things like captive portals you have no other option than disabling it.