Prevention of potential DNS rebind attacks

Gugelhupf · July 7, 2022, 5:02pm

Hi all,

I have a specific question on how to prevent DNS rebind attacks on a Kong Gateway.
The scenario is following:

We have a shared Kong gateway instance and there are services configured with Hostnames of which we don’t control the DNS configuration.

This means if a service with a target like “some-domain.com:8001” is created and later the
DNS records for this host is change to e.g. “127.0.0.1”, the Kong admin API would be exposed.

How can I ensure that local / reserved LAN IP’s are not possible as service target?

My first Idea was to set a custom DNS resolver (KONG_DNS_RESOLVER) that filters hosts that point to forbidden IP-ranges, but since our Database is in some of those forbidden local IP-ranges, this is not possible.

What I actually need would the possibility to set a custom DNS resolver only for API traffic.

Any suggestions on how to handle this?

Gugelhupf · July 20, 2022, 9:36am

Hi all,

does anybody have suggestions on how to prevent this potential attack in Kong. How do you handle this, when you expose a service of which you’re not in control of the DNS records/config.

Benny · August 17, 2022, 9:14am

I have just had another look at this and wonder whether switching to hybrid mode could help with this by separating the admin api from the proxies. The traffic from the proxies to the admin api port could then be restricted.

Is there someone from Kong who could chime in on best practices regarding this potential security issue?