Hi all, I'm an independent security researcher who has spent the last few months studying DNS rebinding attacks. My findings so far <https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325> [1] are pretty grim, it appears that even 10-years after this attack vector was publicly disclosed, millions of IoT products from major vendors like Google, Roku, and Sonos are still vulnerable. The research was recently publicly disclosed in WIRED <https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability/> [2] and these major vendors are developing patches. But this research suggests that thousands of other vendors likely remain unpatched, and worse yet, will continue to develop vulnerable products in the future.
For those unfamiliar, DNS rebinding <https://en.wikipedia.org/w/index.php?title=DNS_rebinding> [3] is an attack vector that uses a malicious DNS server to circumvent CORS, allowing a malicious website to enumerate and communicate with vulnerable HTTP servers on a victim's private network. It effectively uses a victim's browser as a proxy to communicate with devices on their private network from the public Internet. Protections against it include using HTTPS, Basic Authorization, or server-side Host header validation. The problem is that many many IoT devices provide no such protections, and as a result put their users at risk, as HTTP APIs that were designed to be accessed only from private local networks can actually be accessed from the public Internet. The attack requires a malicious DNS server that is authoritative for a domain name, say rebind.network [4] (WARNING, that is a PoC I've developed to show how this attack works for several common IoT devices), to first reply with a public IP address on the Internet, and then later respond with a private IP address like 192.168.1.11. Users can protect themselves from this type of attack by using a DNS resolver that filters out private IP addresses from public DNS responses. OpenDNS and dd-wrt can both provide this functionality if configured properly, but my question is, *why not block this type of illegitimate and dangerous DNS behavior at the browser level?* I'm interested in discussing the possibility of providing protection against DNS rebinding in the Firefox browser itself. As far as I see it, a domain name should never be allowed to respond with a private IP address moments after it first responded with a public IP address. If we can protect against this at a browser-level, we can offload the responsibility for DNS rebinding protection from the thousands of independent devices and services that are currently vulnerable or will be in the future. I'm interested in further discussing this idea on this mailing list. There may be something that I am overlooking, or legitimate functionality that DNS rebinding protections in the browser would break (Plex <https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/> [5] is the only thing I can think of as of now). But I expect DNS rebinding to be a serious security concern that will only increase in the future is something is not done to mitigate these risks. As Firefox has positioned itself as the security focused browser, and has a thriving open source community of devs, I figured it best to start here. If we can build DNS rebinding protections into Firefox other browser vendors may follow suit. [1] https://medium.com/@brannondorsey/attacking-private-networks-from-the- internet-with-dns-rebinding-ea7098a2d325 [2] https://www.wired.com/story/chromecast-roku-sonos-dns- rebinding-vulnerability/ [3] https://en.wikipedia.org/w/index.php?title=DNS_rebinding [4] http://rebind.network [5] https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/ Best, Brannon _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
