Dns Rebinding in Cockroachdb

DNS rebinding attacks exploit the time gap between DNS resolution and HTTP request processing to bypass same-origin policy (SOP) restrictions. In a CockroachDB deployment, this vulnerability becomes critical when the SQL over HTTP interface (http://<node>:8080) or the Admin UI (http://<node>:8080) is exposed to untrusted networks without strict host validation.

CockroachDB's distributed nature introduces specific attack surfaces. Each node runs an HTTP server that accepts SQL statements via /sql endpoint and administrative requests via /_admin/v1/. An attacker can craft a malicious webpage that initially loads a script from a domain they control. The domain's DNS record first resolves to the attacker's server (passing SOP checks), then within the browser's DNS cache TTL, switches to resolve to an internal CockroachDB node IP (e.g., 10.0.0.5:8080). The browser, believing it's same-origin, sends authenticated requests (including any cookies or HTTP auth headers) to the internal CockroachDB node.

This manifests in two CockroachDB-specific patterns:

• Admin UI Credential Theft: If the Admin UI is exposed, a rebinding attack can cause an administrator's browser to send session cookies to the attacker's server via a crafted fetch() call to http://internal-cockroach:8080/_admin/v1/settings. The attacker's DNS server responds with a redirect or captures the request.
• SQL Injection via Rebounding: An attacker can make a victim's browser execute arbitrary SQL against the internal cluster. For example, a script tag loading http://rebound.example.com/sql?q=DROP+TABLE+users where rebound.example.com first resolves to the attacker's IP (serving a harmless page), then to 10.0.0.5:8080. The browser sends the q parameter to CockroachDB's SQL endpoint as a same-origin request.

CockroachDB's HTTP server historically did not strictly validate the Host header against its configured listen addresses, making it susceptible when behind a proxy that forwards all hostnames. While recent versions include host validation (--http-valid-hostnames), misconfiguration or omission leaves the attack viable.

Detecting DNS rebinding vulnerabilities in CockroachDB requires testing whether the HTTP server accepts requests with mismatched Host headers that resolve to internal IPs. Manual testing involves:

1. Configuring a DNS server (or /etc/hosts) to return an external IP for your CockroachDB domain initially, then switching to an internal IP after a short delay.
2. Using a browser or curl with --header "Host: your-cockroachdb.example.com" to send requests to the internal IP while the DNS cache is poisoned.
3. Observing if CockroachDB responds with SQL results or admin data, indicating it processed the request despite the host mismatch.

Automated detection with middleBrick simulates this attack during its SSRF/DNS rebinding check. The scanner:

• Resolves the target domain to an IP, then sends HTTP requests with a Host header pointing to the original domain but directed to a private IP (e.g., 127.0.0.1, 10.0.0.1).
• Tests common CockroachDB endpoints like /sql, /health, and /_admin/v1/settings.
• Flags a vulnerability if the server responds with HTTP 200 and content indicating internal service exposure (e.g., "result":[] from /sql or JSON settings from /_admin/v1/settings).

Run a scan via middleBrick's CLI:

middlebrick scan https://your-cockroachdb.example.com:8080

The report will include a DNS rebinding finding under the SSRF category if the endpoint is vulnerable, with severity based on exposure (public internet vs. internal network). The Dashboard tracks this score over time, and the GitHub Action can fail PRs if a new scan detects this issue.

Remediation focuses on restricting which Host headers CockroachDB's HTTP server will accept. Use the following native configurations:

1. Set Explicit Advertise and Listen Addresses

When starting CockroachDB, use --advertise-addr to specify the address clients should use, and --http-addr to bind the HTTP interface only to the intended interface. Combine with --http-valid-hostnames to whitelist acceptable Host headers.

cockroach start \
  --advertise-addr=cockroachdb.example.com:26257 \
  --http-addr=0.0.0.0:8080 \
  --http-valid-hostnames=cockroachdb.example.com,localhost \
  --store=/path/to/store \
  --join=node1:26257,node2:26257,node3:26257

This ensures that even if a request arrives at 10.0.0.5:8080 with Host: cockroachdb.example.com, the server will reject it unless the hostname is in the whitelist and the request arrived on an interface bound to that address.

2. Use a Reverse Proxy with Strict Host Validation

Place CockroachDB behind a reverse proxy (e.g., Nginx, HAProxy) that terminates external connections and forwards only requests with an approved Host header. The proxy should also restrict internal IP access.

# Nginx configuration snippet
server {
    listen 80;
    server_name cockroachdb.example.com;
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        # Optional: reject requests with non-matching Host
        if ($host != "cockroachdb.example.com") {
            return 403;
        }
    }
}

3. Network-Level Controls

Even with application-level fixes, block external access to CockroachDB's HTTP port (8080) at the firewall level. Only allow the proxy's IP or specific bastion hosts to reach 8080.

# iptables example: allow only proxy IP to access 8080
iptables -A INPUT -p tcp --dport 8080 -s 203.0.113.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

4. Disable Unnecessary HTTP Endpoints

If the SQL over HTTP interface is not needed, disable it entirely. In cockroach start, omit --http-addr or set it to none. The Admin UI can be disabled with --disable-admin-ui.

After applying fixes, rescan with middleBrick to verify the DNS rebinding check passes. The Pro plan's continuous monitoring will alert you if the configuration drifts.