What is the best way to configure Wingate to prevent DNS rebinding attacks? I understand that requests on port 53 from LAN PC's to the internet should be blocked so that a DNS server that is configured not to reslove external names to internal IP addresses, but is there anything else?
The article I read http://crypto.stanford.edu/dns/ indicates this, plus some other things that can be done to prevent this sort of attack.
DNS Rebinding Attacks
Moderator: Qbik Staff
2 posts
• Page 1 of 1
DNS Rebinding Attacks
by rboynton » Apr 26 08 3:41 am
- rboynton
- Senior Member
- Posts: 156
- Joined: Jun 15 07 2:09 am
- Location: Boerne, Texas
by adrien » Apr 27 08 1:50 am
Hi
Thanks for posting this - most interesting reading.
From what I can tell, the problem is not related to the DNS server that your client machines use, but the fact that the origin DNS server of the attacker will serve different results for the same name in short succession - and that subsequent results point to resources inside your network, thereby fooling the browser into connecting to an internal target host when it thinks it's connecting back out to the server that provided the script.
My initial suggestion would be:
1. configure all browsers to use the proxy only for access to everywhere.
2. in WWW proxy policy, block access to (not from) any internal IP addresses. E.g. Server IP begins with "192.168."
3. Lock down the ports that can be used for HTTPS requests through the proxy as well.
4. Don't allow WinGate's DNS resolver to resolve internal names. This is the CNAME exploit mentioned in the paper. You should configure the DNS resolver in WinGate to use an external DNS server, and not allow it to use internal ones (you can specify DNS servers NOT to use in the WG advanced options applet). Then WinGate won't be able to resolve internal names, and CNAME exploits targetting your internal names won't work.
In general, if you're running an Active Directory, your client machines will use the AD server for DNS. This is fine (and necessary for your network to function properly).
I'm going to do some more research on this. We should be able to do what they call "DNS pinning" in the DNS cache in WinGate to prevent multi-pin attacks on different technologies in the browser. Would be just a matter of setting a minimum allowable value on the TTL of any record.
Thanks
Adrien
Thanks for posting this - most interesting reading.
From what I can tell, the problem is not related to the DNS server that your client machines use, but the fact that the origin DNS server of the attacker will serve different results for the same name in short succession - and that subsequent results point to resources inside your network, thereby fooling the browser into connecting to an internal target host when it thinks it's connecting back out to the server that provided the script.
My initial suggestion would be:
1. configure all browsers to use the proxy only for access to everywhere.
2. in WWW proxy policy, block access to (not from) any internal IP addresses. E.g. Server IP begins with "192.168."
3. Lock down the ports that can be used for HTTPS requests through the proxy as well.
4. Don't allow WinGate's DNS resolver to resolve internal names. This is the CNAME exploit mentioned in the paper. You should configure the DNS resolver in WinGate to use an external DNS server, and not allow it to use internal ones (you can specify DNS servers NOT to use in the WG advanced options applet). Then WinGate won't be able to resolve internal names, and CNAME exploits targetting your internal names won't work.
In general, if you're running an Active Directory, your client machines will use the AD server for DNS. This is fine (and necessary for your network to function properly).
I'm going to do some more research on this. We should be able to do what they call "DNS pinning" in the DNS cache in WinGate to prevent multi-pin attacks on different technologies in the browser. Would be just a matter of setting a minimum allowable value on the TTL of any record.
Thanks
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 5 guests