WatchGuard – DNSWatch Introduces Protection Against DNS Rebinding Attacks
Despite being around for many years, “DNS Rebinding” attacks have been making headlines recently. Commodity devices (Chromecast, Roku, Sonos Speakers, and many other IoT devices) are potentially vulnerable, and while the popular ones have been patched, it’s hard to know if they all have.
This trend, combined with direct feedback from other customers, has led us to build new protections into DNSWatch to address these types of attacks.
You can enable the DNS binding protections in your DNSWatch settings. Once you enable the feature, it can take up to an hour to take effect due to DNS caching.
When enabled, any responses that would normally contain an A record for a private IP address (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/16) will instead result in an NXDOMAIN.
To confirm the rebinding protection is enabled, you can look up `local.strongarm.io`. If rebinding is enabled, it will return `192.168.1.1`. If the rebinding protection is enabled, DNSWatch will return an NXDOMAIN.
If you use an external nameserver to host intranet websites, you need to move those domains to an internal name server to protect them from DNS Rebinding attacks.