Prevention of potential DNS rebind attacks

Hi all,

I have a specific question on how to prevent DNS rebind attacks on a Kong Gateway.
The scenario is following:

We have a shared Kong gateway instance and there are services configured with Hostnames of which we don’t control the DNS configuration.

This means if a service with a target like “some-domain.com:8001” is created and later the
DNS records for this host is change to e.g. “127.0.0.1”, the Kong admin API would be exposed.

How can I ensure that local / reserved LAN IP’s are not possible as service target?

My first Idea was to set a custom DNS resolver (KONG_DNS_RESOLVER) that filters hosts that point to forbidden IP-ranges, but since our Database is in some of those forbidden local IP-ranges, this is not possible.

What I actually need would the possibility to set a custom DNS resolver only for API traffic.

Any suggestions on how to handle this?

3 Likes

Hi all,

does anybody have suggestions on how to prevent this potential attack in Kong. How do you handle this, when you expose a service of which you’re not in control of the DNS records/config.

1 Like