Sam Stelfox

Letting the outside in: DNS rebind attacks

Names are a funny thing on the Internet. The domains everyone visits while browsing the web are solely for people. When you ask your browser to go to a website, it starts by converting that name into an address it can start talking to.

This is important as the answers to what addresses are behind a name can change, and do so relatively quickly. Responses to DNS name requests are frequently dependent on the location of the client, so a local (with lower latency) server can be found to service its request. These changes also occur to avoid downtime, such as when a machine is taken down for maintenance.

At the same time, a lot of our security is based off these names. When people go to their bank's website, they see the correct domain, the familiar interface, and the certificate indicating that they're secure. The certificate is tied to the name, and is likely hosted on many identical machines.

When an attacker on the Internet can get someone to visit a website that they fully control, a lot of our security boundaries implicitly trust that site to talk back to itself. This trust is being used in a bit of a weird way to attack people's home networks in what is known as a DNS rebind attack.


Due to the way home Internet routers are designed to share their Internet connection, devices on the Internet can't generally initiate a conversation with anything on your home network. (For the purpose of this discussion, manual setup of port forwards, and ports opened through UPnP are left out as those are intentional exposures to external networks.) Other devices sharing that home Internet connection can freely interact with each other.

When a DNS rebind attack occurs, an attacker's website will swap the name records for itself with ones that point at local devices on the user's home network. The name doesn't change, so neither do the security protections. This exposes any device running a web server (most IoT devices do) on that otherwise isolated home network to remote malicious code.

Unfortunately, many IoT devices have a poor security posture and are easy pickings once an attacker can interact with them directly. With the low technical complexity and the effectiveness, this type of attack is becoming more common. Reports are continuing to find more devices that are vulnerable, even among the higher quality devices.

Attackers have used the same attack against services running on the user's machine- see stories of the DNS rebind attack in action here, here, and here. This class of attack is detectable based on its network behavior, and the attempts can signal what might be vulnerable on the network.

At Minim, we are now detecting DNS rebind attacks against home networks that use Minim-enabled routers— here's how.

Like this blog?

Subscribe to our newsletter.