Cisco Umbrella

Enterprise network security

Security

Finally, a real solution to DNS rebinding attacks

By David Ulevitch, Founder/CEO

We just launched a subtle new feature for all OpenDNS account holders (it’s free) that helps protect against a class of DNS vulnerabilities known as DNS Rebinding attacks. In short, these attacks take advantage of design flaws or weaknesses in how some Internet applications (notably web browsers) cache DNS data so that internal network resources can be accessed by external servers regardless of firewall settings.

This can happen because the browser (or similarly exploitable vector) acts as a conduit between the private internal resource and the external server. In plain English this means that some bad guy on the Internet can access your home access point, wireless access point, internal file server or any other networked device on your network just by getting you to load some javascript on a webpage.

While this might seem like a browser issue, it’s fundamentally a DNS issue. This is why OpenDNS created what will become a new class of filtering tools called Suspicious Response Filters.

Image of the new filtering service
These new filters are different from the filtering options we’ve offered to date in one important way. Rather than filtering based on the DNS question being asked (eg, “Where is foo.com?”) these filters inspect the DNS reply before we send it back to you (eg, “Does this reply point to an internal resource?”). Like most of our features, this is an industry first. No other major DNS software or service offers anything like this.

When I started OpenDNS I often told people one of my main goals was to design a global secure DNS service that empowered people to let the good DNS in and keep the bad DNS out, for whatever definition of good and bad they had. This feature gets us one step closer to delivering on that promise.

The feature is turned off by default, but I encourage everyone to go into your account and turn it on. Those of you with domains that point to private address space legitimately (to your intranet, for example) should also visit the domain allow list page and allow your domain. Naturally, any domain in your allow list will not have its responses filtered in any way and will be explicitly allowed.