DNS Rebinding — Rapid TTL Change for Same Domain
07 DNS Rebinding Rapid TTL
Query
ASimDnsActivityLogs
| where TimeGenerated > ago(30m)
| where EventResult =~ "Success"
| where DnsAnswerCount > 0
| summarize
QueryCount = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
SrcHostname = any(SrcHostname)
by SrcIpAddr, DnsQuery
| where QueryCount >= 5
| extend SpanSeconds = datetime_diff('second', LastSeen, FirstSeen)
| where SpanSeconds > 0
| extend ReResolutionRate = round(todouble(QueryCount) / todouble(SpanSeconds) * 60.0, 2)
| where ReResolutionRate >= 2
| project
SrcIpAddr,
SrcHostname,
DnsQuery,
QueryCount,
ReResolutionRate,
SpanSeconds,
FirstSeen,
LastSeenExplanation
This query is designed to detect potential DNS rebinding attacks by monitoring DNS activity. Here's a simplified breakdown:
-
Purpose: The query identifies domains that resolve to multiple different IP addresses within a short time frame, which is a common behavior in DNS rebinding attacks. These attacks can allow an attacker to bypass browser security and access internal services.
-
Data Source: It uses DNS activity logs from Windows DNS via the WindowsDnsAma connector.
-
Frequency: The query runs every 30 minutes and looks at DNS logs from the past 30 minutes.
-
Detection Logic:
- It filters for successful DNS queries with at least one answer.
- It groups the data by source IP address and DNS query, counting how many times each query was made.
- It calculates the time span between the first and last query for each group.
- It computes the re-resolution rate, which is how often the DNS query is resolved per minute.
- It flags cases where a domain is queried at least 5 times and the re-resolution rate is 2 or more per minute.
-
Output: The query outputs details like the source IP address, source hostname, DNS query, number of queries, re-resolution rate, and time span of the queries.
-
Alerts: If the conditions are met, an alert is generated with details about the potential DNS rebinding activity, including how many times the domain was re-resolved and the rate of re-resolution.
-
Severity and Tactics: The severity is marked as Medium, and it relates to tactics like Lateral Movement and Defense Evasion, with techniques T1557 and T1090.
-
Tags: The query is tagged with terms like DNS Rebinding, Same-Origin Policy Bypass, SSRF, and Browser-based attack to categorize the type of threat.
In essence, this query is a security measure to detect suspicious DNS behavior that could indicate a DNS rebinding attack, which is a method attackers use to exploit vulnerabilities in web browsers and access internal networks.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 30m
Period: 30m