Domain Name System (DNS) rebind protection prevents Okta Verify from establishing secure connections, requiring DNS exceptions or switching networks. Unmanaged devices fail to satisfy phishing resistance policy requirements when the network enables DNS rebind protection. This occurs because the router blocks Okta Verify from connecting to browsers or native applications on the device.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta Verify
- Android
- Unmanaged iOS, macOS, and Windows
- Domain Name System (DNS)
DNS rebind protection on specific routers prevents Okta Verify from establishing a secure connection to browsers or native applications on the device. Consequently, Okta fails the phishing resistance checks for logins occurring under these conditions. For more information on Okta Verify, review the FastPass Technical Whitepaper.
How are DNS rebind protection issues resolved?
Depending on the network hardware, one or more solutions can be implemented to address DNS rebind protection issues. Consult the hardware manual for available options and implementation instructions.
Implement one of the following solutions on the network router to allow Okta Verify connections.
- Add an exception to the router or DNS server for the domain
authenticatorlocalprod.com. - Add an exception to the router or DNS server for
localhost. - Disable DNS rebind protection.
What workarounds exist for DNS rebind protection?
End-users can bypass the network restrictions by utilizing an alternate connection method.
- Switch to a cellular or alternate WiFi connection.
- Utilize a private or third-party DNS service.
