Overcoming a DNS Binding attack

lubbers · May 20, 2022, 7:41am

No, on a Ubuntu server

1. What is the issue? Please be detailed.
Using the standard installation of ODK Central when entering its IP address in the browser it opens the ODK Central page. This makes it possible to use a DNS Rebinding Attack.
To overcome this we need to redirect it to an empty page.

2. What steps can we take to reproduce this issue?
Use the standard installation using the nginx.dockerfile image.

3. What have you tried to fix the issue?
Can't find a way to implement this

4. Upload any test forms or screenshots below.

None needed.

yanokwa · May 24, 2022, 2:41am

The standard install of Central requires HTTPS which mitigates this attack. How did you determine it was possible to use a DNS rebinding attack?

lubbers · May 25, 2022, 6:57am

Hi Yanokwa,

I got this message from our security people at the IT department. They scan all servers at WUR for security issues.
Regards,

Marcel

lubbers · May 25, 2022, 6:58am

Hi Yanokwa,

Found this snippet (if a user enters the ip number, return 301 redirects it to https://nucuta.com):

server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 192.168.1.1;
return 301 https://nucuta.com;
}

lubbers · May 25, 2022, 6:59am

Hi Yanokwa,

Found myself also this on the internet:

Redirect from The IP Address

Unlike a shared host, both dedicated servers, and virtual private servers always have a dedicated IP address allocated to it. If the web server is configured with Nginx with underscore (which means server processes every request), then any request to the IP address gains access to the website as well. Having access to the website through an IP address is not something every web master wants due to various reasons. On the other hand, if every request is processed, malicious users can associate any random domain with the web server, which is not good for the name of the brand or the business, and therefore it’s important to process only requests to specific domains or and IP address. This segment demonstrates in such cases how to process requests to the IP address of the web server.

Perhaps, something like the code below should be added to central/files/nginx/redirector.conf

---------------------------------------------------------

default (in case anyone tries to hit http://100.200.200.50)

---------------------------------------------------------

server {
server_name 100.200.200.50;
listen 80;
root /var/www/default;
index index.html;
}

yanokwa · May 25, 2022, 1:25pm

If you are using HTTPS, which is the default configuration, this attack is not possible. See https://security.stackexchange.com/questions/137855/does-https-protect-against-dns-rebinding for more.

Are you using HTTPS?

lubbers · May 25, 2022, 4:49pm

Thanks for your comments.

We've adapted the redirect.conf file, now the IP address is no longer visible and the IT security guys are happy again.

Cheers,

Marcel