KQL Search

Query Details

07 DNS Rebinding Rapid TTL

Query

id: a1b2c3d4-0007-4a5b-8c9d-dns007rebinding
name: DNS Rebinding — Rapid TTL Change for Same Domain
description: |
  Detects DNS rebinding preparation by identifying domains that resolve to
  multiple different IP addresses within a short window with rapid re-resolution.
  In a DNS rebinding attack, the attacker's domain initially resolves to a public
  IP, then switches to an internal/loopback IP (127.0.0.1, 192.168.x.x, 0.0.0.0)
  after the TTL expires. This allows JavaScript from the attacker's domain to
  access internal services by bypassing the browser's Same-Origin Policy.
  Ref: GitHub Security Lab — "DNS rebinding attacks explained"
  Ref: Singularity of Origin (NCC Group), rbndr (Tavis Ormandy)
severity: Medium
requiredDataConnectors:
  - connectorId: WindowsDnsAma
    dataTypes:
      - ASimDnsActivityLogs
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - LateralMovement
  - DefenseEvasion
relevantTechniques:
  - T1557
  - T1090
tags:
  - DNS Rebinding
  - Same-Origin Policy Bypass
  - SSRF
  - Browser-based attack
query: |
  ASimDnsActivityLogs
  | where TimeGenerated > ago(30m)
  | where EventResult =~ "Success"
  | where DnsAnswerCount > 0
  | summarize
      QueryCount      = count(),
      FirstSeen       = min(TimeGenerated),
      LastSeen        = max(TimeGenerated),
      SrcHostname     = any(SrcHostname)
    by SrcIpAddr, DnsQuery
  | where QueryCount >= 5
  | extend SpanSeconds = datetime_diff('second', LastSeen, FirstSeen)
  | where SpanSeconds > 0
  | extend ReResolutionRate = round(todouble(QueryCount) / todouble(SpanSeconds) * 60.0, 2)
  | where ReResolutionRate >= 2
  | project
      SrcIpAddr,
      SrcHostname,
      DnsQuery,
      QueryCount,
      ReResolutionRate,
      SpanSeconds,
      FirstSeen,
      LastSeen
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: SrcHostname
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcIpAddr
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: DnsQuery
alertDetailsOverride:
  alertDisplayNameFormat: "DNS Rebinding — {{SrcHostname}} re-resolved {{DnsQuery}} {{QueryCount}} times"
  alertDescriptionFormat: "Potential DNS rebinding: {{SrcHostname}} re-resolved {{DnsQuery}} {{QueryCount}} times in {{SpanSeconds}} seconds ({{ReResolutionRate}} re-resolutions/min). Attackers use rapid TTL expiry to redirect domain from public to internal IP."
customDetails:
  ReResolutionRate: ReResolutionRate
  TargetDomain: DnsQuery

Explanation

This query is designed to detect potential DNS rebinding attacks by monitoring DNS activity. Here's a simplified breakdown:

  1. Purpose: The query identifies domains that resolve to multiple different IP addresses within a short time frame, which is a common behavior in DNS rebinding attacks. These attacks can allow an attacker to bypass browser security and access internal services.

  2. Data Source: It uses DNS activity logs from Windows DNS via the WindowsDnsAma connector.

  3. Frequency: The query runs every 30 minutes and looks at DNS logs from the past 30 minutes.

  4. Detection Logic:

    • It filters for successful DNS queries with at least one answer.
    • It groups the data by source IP address and DNS query, counting how many times each query was made.
    • It calculates the time span between the first and last query for each group.
    • It computes the re-resolution rate, which is how often the DNS query is resolved per minute.
    • It flags cases where a domain is queried at least 5 times and the re-resolution rate is 2 or more per minute.

  5. Output: The query outputs details like the source IP address, source hostname, DNS query, number of queries, re-resolution rate, and time span of the queries.

  6. Alerts: If the conditions are met, an alert is generated with details about the potential DNS rebinding activity, including how many times the domain was re-resolved and the rate of re-resolution.

  7. Severity and Tactics: The severity is marked as Medium, and it relates to tactics like Lateral Movement and Defense Evasion, with techniques T1557 and T1090.

  8. Tags: The query is tagged with terms like DNS Rebinding, Same-Origin Policy Bypass, SSRF, and Browser-based attack to categorize the type of threat.

In essence, this query is a security measure to detect suspicious DNS behavior that could indicate a DNS rebinding attack, which is a method attackers use to exploit vulnerabilities in web browsers and access internal networks.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsHostIpAddressDomainName

Operators

ASimDnsActivityLogswhereago=~summarizecountminmaxanybyextenddatetime_diffroundtodoubleproject

Actions