Query Details

DNS Rebinding — Rapid TTL Change for Same Domain

07 DNS Rebinding Rapid TTL

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(30m)
| where EventResult =~ "Success"
| where DnsAnswerCount > 0
| summarize
    QueryCount      = count(),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated),
    SrcHostname     = any(SrcHostname)
  by SrcIpAddr, DnsQuery
| where QueryCount >= 5
| extend SpanSeconds = datetime_diff('second', LastSeen, FirstSeen)
| where SpanSeconds > 0
| extend ReResolutionRate = round(todouble(QueryCount) / todouble(SpanSeconds) * 60.0, 2)
| where ReResolutionRate >= 2
| project
    SrcIpAddr,
    SrcHostname,
    DnsQuery,
    QueryCount,
    ReResolutionRate,
    SpanSeconds,
    FirstSeen,
    LastSeen

Explanation

This query is designed to detect potential DNS rebinding attacks by monitoring DNS activity. Here's a simplified breakdown:

  1. Purpose: The query identifies domains that resolve to multiple different IP addresses within a short time frame, which is a common behavior in DNS rebinding attacks. These attacks can allow an attacker to bypass browser security and access internal services.

  2. Data Source: It uses DNS activity logs from Windows DNS via the WindowsDnsAma connector.

  3. Frequency: The query runs every 30 minutes and looks at DNS logs from the past 30 minutes.

  4. Detection Logic:

    • It filters for successful DNS queries with at least one answer.
    • It groups the data by source IP address and DNS query, counting how many times each query was made.
    • It calculates the time span between the first and last query for each group.
    • It computes the re-resolution rate, which is how often the DNS query is resolved per minute.
    • It flags cases where a domain is queried at least 5 times and the re-resolution rate is 2 or more per minute.
  5. Output: The query outputs details like the source IP address, source hostname, DNS query, number of queries, re-resolution rate, and time span of the queries.

  6. Alerts: If the conditions are met, an alert is generated with details about the potential DNS rebinding activity, including how many times the domain was re-resolved and the rate of re-resolution.

  7. Severity and Tactics: The severity is marked as Medium, and it relates to tactics like Lateral Movement and Defense Evasion, with techniques T1557 and T1090.

  8. Tags: The query is tagged with terms like DNS Rebinding, Same-Origin Policy Bypass, SSRF, and Browser-based attack to categorize the type of threat.

In essence, this query is a security measure to detect suspicious DNS behavior that could indicate a DNS rebinding attack, which is a method attackers use to exploit vulnerabilities in web browsers and access internal networks.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsHostIpAddressDomainName

Operators

ASimDnsActivityLogswhereago=~summarizecountminmaxanybyextenddatetime_diffroundtodoubleproject

Severity

Medium

Tactics

LateralMovementDefenseEvasion

MITRE Techniques

Frequency: 30m

Period: 30m

Actions

GitHub