Singularity of Origin comes with a custom DNS server to enable easy DNS rebinding. This is useful for manual testing or attack scenarios where the Manager UI does not provide enough flexibility.

A DNS request has the following properties since the introduction of the IPv6 support and additional PNA bypasses pull request, commit 3c5ee9a:

s-<AttackerHostSpec>.<TargetHostSpec>-<SessionID>-<RebindingStrategy>-e.<AttackerSubDomain>

• s: Start
• <AttackerHostSpec>: Attacker host IP address, hexadecimal encoded e.g., 23b9cea5 for 35.185.206.165)
• <TargetHostSpec>: Target service IP address or name e.g., 7f000001 for 127.0.0.1, 26001406bc00005300000000b81e94ce for 2600:1406:bc00:53::b81e:94ce, localhost for "localhost", 00000000 for 0.0.0.0, 00000000000000000000ffffc0a80160 for IPv4 mapped IPv6 address ::ffff:192.168.1.96 (the last one can be inputted as ::ffff:c0a8:0160 in Singularity Manager interface).
• <SessionID>: Session identifier (e.g., 1195020453)
• <RebindingStrategy>: DNS Rebinding Strategy
  • 'fs': First then always second
  • 'ma': Multiple answers
  • 'rr': Round robin
  • 'rd': Random
• e: End
• AttackerSubDomain: Attacker subdomain e.g., d.rebind.it

Prior to the IPv6 support and additional PNA bypasses pull request, commit 3c5ee9a, a request is as follows:

s-<IPaddressAttacker>-<IPaddressTarget>-<SessionID>-<RebindingStrategy>-e.d.rebind.it

• s: Start
• <IPaddressAttacker>: Attacker host IP address (e.g. 35.185.206.165)
• <IPaddressTarget>: Target service IP address or name (e.g. 127.0.0.1)
• <SessionID>: Session identifier (e.g. 1234567890)
• <RebindingStrategy>: DNS Rebinding Strategy
  • 'fs': First then always second
  • 'ma': Multiple answers
  • 'rr': Round robin
  • 'rd': Random
• e: End
• d.rebind.it: Attacker subdomain

Resolve to 2600:1900:4040:c04a:: in the first request and then always :: starting with the second request (first then second rebinding strategy):

dig  -t aaaa +short s-260019004040c04a0000000000000000.00000000000000000000000000000000-1234567890-fs-e.d.rebind.it @d.rebind.it

Always return both IP addresses, 35.185.206.165 and 127.0.0.1 (multiple answers rebinding strategy):

dig  +short +additional s-23b9cea5.7f000001-1234567891-ma-e.d.rebind.it @d.rebind.it

Randomly alternate DNS responses between 35.185.206.165 and 127.0.0.1 (random rebinding strategy):

dig  +short  s-23b9cea5.7f000001-123456792-rr-e.d.rebind.it @d.rebind.it 

Resolve to 35.185.206.165 in the first request and then always return a CNAME pointing to localhost starting with the second request (first then second rebinding strategy):

dig  +short  s-23b9cea5.localhost-123456793-fs-e.d.rebind.it @d.rebind.it

To resolve to a CNAME that contains a dash (-) you have to double-encode the dash using -- as Singularity uses the dash as a field delimiter. Resolve to 35.185.206.165 in the first request and then always return a CNAME pointing to test-host.example.com starting with the second request (first then second rebinding strategy):

dig  +short  s-23b9cea5.test--host.example.com-123456794-fs-e.d.rebind.it @d.rebind.it  

Resolve to 35.185.206.165 in the first request and then always 127.0.0.1 starting with the second request (first then second rebinding strategy):

s-35.185.206.165-127.0.0.1-1234567890-fs-e.d.rebind.it

Always return both IP addresses, 35.185.206.165 and 127.0.0.1 (multiple answers rebinding strategy) unless you use the Singularity web interface (manager UI), in which case things are slightly more complicated:

s-35.185.206.165-127.0.0.1-1234567890-ma-e.d.rebind.it

Alternate between 35.185.206.165 and 127.0.0.1 (round robin rebinding strategy):

s-35.185.206.165-127.0.0.1-1234567890-rr-e.d.rebind.it

Randomly alternate DNS responses between 35.185.206.165 and 127.0.0.1 (random rebinding strategy):

s-35.185.206.165-127.0.0.1-1234567890-rd-e.d.rebind.it

Resolve to 35.185.206.165 in the first request and then always return a CNAME pointing to localhost starting with the second request (first then second rebinding strategy):

s-35.185.206.165-localhost-1234567890-fs-e.d.rebind.it

To resolve to a CNAME that contains a dash (-) you have to double-encode the dash using -- as Singularity uses the dash as a field delimiter. Resolve to 35.185.206.165 in the first request and then always return a CNAME pointing to test-host.example.com starting with the second request (first then second rebinding strategy):

dig s-35.185.206.165-test--host.example.com-1234567890-fs-e.d.rebind.it

The idea behind the session ID is to make each request unique so that they don't interfere with each other and to support concurrent users in Singularity of Origin. For this to work, you have to choose a unique session ID for each attack. When you reuse the same session ID or use a simple one such as 123 another user is also using at the same time, you may get undesired results as these requests interfere with each other.