Dns Rebinding in Cassandra

DNS rebinding attacks against Cassandra databases exploit the way Cassandra's native drivers handle host resolution and connection pooling. When a malicious actor controls DNS resolution for a seemingly legitimate endpoint, they can redirect traffic from what appears to be a trusted service to a private network address, bypassing Cassandra's network access controls.

The attack typically unfolds in three phases. First, the attacker registers a domain and configures a short TTL DNS record pointing to their public IP. When a Cassandra client attempts to connect to what it believes is a legitimate endpoint, the driver resolves the hostname and establishes a connection. In the second phase, the attacker quickly changes the DNS record to point to a private IP address within the target network's CIDR range. Many Cassandra drivers cache DNS resolutions for extended periods, but some implementations will respect TTL values and re-resolve hostnames. The third phase occurs when the client re-resolves the hostname and connects to the private IP, which may be a Cassandra node or another service that trusts the client's network origin.

Cassandra's native driver architecture makes this particularly dangerous. The DataStax Java Driver, for example, uses a load-balancing policy that may re-resolve contact points based on TTL settings. Consider this vulnerable connection pattern:

Cluster cluster = Cluster.builder()
    .addContactPoint("api.example.com")
    .withLoadBalancingPolicy(new DCAwareRoundRobinPolicy())
    .build();

If "api.example.com" resolves to a public IP initially but then to a private IP like 10.0.0.5, the driver may establish a connection to an internal Cassandra node that was never intended to be exposed to that client. This is especially problematic in multi-cloud or hybrid deployments where Cassandra nodes communicate across network boundaries.

The risk compounds with Cassandra's gossip protocol and internode communication. Nodes communicate using their broadcast addresses, and if an attacker can influence DNS resolution for these addresses, they might intercept or manipulate internode traffic. This could lead to data exfiltration or even cluster compromise if the attacker can inject malicious gossip messages.

Another manifestation occurs with Cassandra's authentication mechanisms. If a client connects to what it believes is an authentication proxy but is actually a Cassandra node due to DNS rebinding, the node might accept the connection based on network location rather than proper authentication. This is particularly dangerous when Cassandra is configured with less stringent network-based access controls for "trusted" networks.

Detecting DNS rebinding vulnerabilities in Cassandra deployments requires examining both configuration and runtime behavior. The first line of defense is analyzing how your Cassandra clients resolve and cache DNS entries. Tools like dig with +trace can reveal DNS resolution paths, but automated scanning provides more comprehensive coverage.

middleBrick's scanning approach for Cassandra specifically targets the driver-level vulnerabilities that enable DNS rebinding. The scanner examines your API endpoints for patterns typical in Cassandra client implementations, including:

package com.datastax.driver.core;

// Vulnerable patterns middleBrick detects:
Cluster cluster = Cluster.builder()
    .addContactPoint("cassandra.example.com")
    .withSocketOptions(new SocketOptions().setConnectTimeoutMillis(5000))
    .build();

The scanner tests for improper DNS handling by attempting to resolve contact points through multiple network interfaces and checking if connections can be established to unexpected IP ranges. It specifically looks for configurations where TTL values are not properly validated or where the driver might connect to private IP ranges without additional verification.

For Cassandra clusters themselves, middleBrick analyzes configuration files like cassandra.yaml for network exposure settings. It checks for broadcast addresses that might resolve to public DNS names, native transport settings that listen on wildcard addresses, and RPC configurations that could allow unintended access. The scanner also examines JMX ports, which are often overlooked but can provide a secondary attack vector if accessible through DNS rebinding.

Runtime detection involves monitoring connection patterns for anomalies. If a client that typically connects from a specific IP range suddenly appears to connect from a different network, this could indicate a DNS rebinding attack. middleBrick's continuous monitoring in Pro tier can alert on these pattern changes, though the primary detection occurs during the initial scan phase.

The scanner also tests for Cassandra's handling of SRV records and other advanced DNS features that might be exploited in rebinding attacks. Some implementations might follow CNAME chains or accept SRV records pointing to private IPs, creating additional attack surfaces.

Remediating DNS rebinding vulnerabilities in Cassandra environments requires a multi-layered approach that addresses both client and server configurations. The most effective strategy combines proper network segmentation with application-level controls.

For Cassandra clients, the primary remediation is implementing DNS pinning with strict TTL validation. The DataStax driver allows custom name resolver implementations:

import com.datastax.driver.core.policies.DCAwareRoundRobinPolicy;
import com.datastax.driver.core.policies.LoadBalancingPolicy;

public class SecureNameResolver implements NameResolver {
    private static final int MAX_TTL = 300; // 5 minutes
    private static final Set<String> ALLOWED_DOMAINS = Set.of("trusted.example.com");
    
    @Override
    public List<InetAddress> resolve(String name) throws UnknownHostException {
        if (!ALLOWED_DOMAINS.contains(name)) {
            throw new UnknownHostException("Untrusted domain: " + name);
        }
        
        List<InetAddress> addresses = DefaultNameResolver.INSTANCE.resolve(name);
        for (InetAddress address : addresses) {
            if (address instanceof Inet4Address) {
                byte[] bytes = address.getAddress();
                if (bytes[0] == 10 || // Class A private
                    bytes[0] == 172 && (bytes[1] >> 4) == 16 || // Class B private
                    bytes[0] == 192 && bytes[1] == 168) { // Class C private
                    throw new UnknownHostException("Private IP detected: " + address);
                }
            }
        }
        return addresses;
    }
}

Cluster cluster = Cluster.builder()
    .addContactPoint("cassandra.example.com")
    .withLoadBalancingPolicy(new DCAwareRoundRobinPolicy())
    .withNameResolver(new SecureNameResolver())
    .withSocketOptions(new SocketOptions().setConnectTimeoutMillis(3000))
    .build();

This implementation prevents connections to private IP ranges and restricts resolution to trusted domains. The MAX_TTL setting ensures that DNS changes cannot be rapidly exploited.

On the Cassandra server side, configure strict network access controls. In cassandra.yaml, set rpc_address and native_transport_address to specific interfaces rather than 0.0.0.0 or localhost. Use firewall rules to restrict access to known client IP ranges. For example:

# cassandra.yaml configuration
rpc_address: 10.0.0.5
native_transport_address: 10.0.0.5
native_transport_port: 9042

# Optional: enable client authentication
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

For applications that must connect across network boundaries, implement VPN or VPC peering rather than relying on public DNS resolution. This eliminates the DNS rebinding attack surface entirely.

middleBrick's remediation guidance includes specific configuration templates for common deployment scenarios. For Kubernetes environments, it recommends headless services with fixed IP assignments rather than DNS-based discovery. For multi-cloud setups, it suggests using private links or service mesh solutions that provide end-to-end encryption and authentication.

Additionally, implement monitoring for unusual connection patterns. Set up alerts for connections from unexpected IP ranges or sudden changes in client behavior. middleBrick's Pro tier includes these monitoring capabilities with configurable thresholds and integration with SIEM systems.