I have a specific question on how to prevent DNS rebind attacks on a Kong Gateway.
The scenario is following:
We have a shared Kong gateway instance and there are services configured with Hostnames of which we don’t control the DNS configuration.
This means if a service with a target like “some-domain.com:8001” is created and later the
DNS records for this host is change to e.g. “127.0.0.1”, the Kong admin API would be exposed.
How can I ensure that local / reserved LAN IP’s are not possible as service target?
My first Idea was to set a custom DNS resolver (
KONG_DNS_RESOLVER) that filters hosts that point to forbidden IP-ranges, but since our Database is in some of those forbidden local IP-ranges, this is not possible.
What I actually need would the possibility to set a custom DNS resolver only for API traffic.
Any suggestions on how to handle this?