CME-207

DNS Rebinding Protection

Harden Network High Confidence

Description

Configure DNS resolvers, recursive forwarders, and network firewalls to reject DNS responses that resolve public domain names to private IP addresses (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16; loopback: 127.0.0.0/8; link-local: 169.254.0.0/16; IPv6: ::1, fc00::/7, fe80::/10). DNS rebinding attacks exploit the browser same-origin policy by causing an attacker-controlled domain to resolve to a private IP address after the initial page load, giving the attacker JavaScript access to localhost-bound services. Blocking private IP resolution from public domains prevents this attack at the network layer.

CVSS Vector Impacts

Metric Transition Rationale
Attack Vector (AV) N L An attacker on the public internet cannot reach localhost-bound or private-network services via DNS rebinding. The DNS resolver or firewall blocks responses that would map a public domain to a private address, preventing the browser from connecting to internal services. Exploitation requires the attacker to be on the same local network or have direct access to the host.

CWE Relationships

CWE-346 CWE-350

Verification

Verify that DNS resolvers are configured to block private IP resolution from public domains, and that firewall rules inspect DNS responses for private address answers.

$ grep -E "stop-dns-rebind|rebind-localhost-ok" /etc/dnsmasq.conf
# Expected: stop-dns-rebind present
Platform: linux
$ grep "private-address" /etc/unbound/unbound.conf
# Expected: private-address directives for RFC 1918 ranges
Platform: linux
$ dig @localhost rebind-test.example.com A +short
# Expected: No private IP addresses in response (empty output or NXDOMAIN)
Platform: any
← CME-206: Network Policy (Kubernetes) CME-301: SELinux (Enforcing Mode) →