DNS Rebinding

DNS Rebinding is an attack that exploits DNS and browser security models to bypass Same-Origin Policy, allowing malicious websites to access internal network resources or localhost services.

How It Works

The attacker controls a domain with a DNS server that returns changing IP addresses. Initially, it returns the attacker's server IP, then quickly changes to an internal IP (e.g., 127.0.0.1). The browser considers both the same origin, allowing JavaScript to access the internal resource.

Attack Flow

1. Victim visits attacker.com
   - DNS returns: attacker's server IP (1.2.3.4)
   - Browser loads malicious JavaScript

2. DNS TTL expires (attacker sets very low TTL)

3. JavaScript makes request to attacker.com/api
   - DNS now returns: 127.0.0.1 (or internal IP)
   - Browser considers it same-origin (still attacker.com)

4. JavaScript can read response from internal service
   - Exfiltrate data to attacker's server

Target Services

• Development servers on localhost
• Internal admin panels
• IoT devices on local network
• Cloud metadata services (169.254.169.254)
• Internal APIs without authentication

Prevention

• Validate Host header on server
• Require authentication for sensitive services
• Block external DNS resolving to internal IPs
• Use DNS pinning in browsers (limited support)

See Also

• Same-Origin Policy
• Server-Side Request Forgery