DNS Rebinding
What is DNS Rebinding?
DNS RebindingA browser-side attack that abuses short DNS TTLs to make a hostname resolve first to an attacker server, then to an internal IP, bypassing the same-origin policy.
In a DNS rebinding attack, the attacker controls an authoritative DNS server for a domain such as evil.example.com and returns very short TTLs. A victim's browser first resolves the hostname to the attacker's public IP and loads JavaScript, satisfying the same-origin policy. Moments later the attacker's DNS rebinds the same name to an internal address like 192.168.1.1, 127.0.0.1, or a cloud metadata IP (169.254.169.254). Because the origin (scheme, host, port) appears unchanged, the previously loaded JavaScript can now interact with the internal target's HTTP API, exfiltrating data or executing privileged actions. Defenses include host-header validation, authentication on internal services, DNS pinning, browser caches, and filtering RFC 1918 / metadata IPs from public resolvers.
● Examples
- 01
A malicious ad rebinds evil.example.com to 192.168.1.1 and reads the victim's router admin page.
- 02
An attacker reaches AWS instance metadata at 169.254.169.254 from a compromised in-browser session.
● Frequently asked questions
What is DNS Rebinding?
A browser-side attack that abuses short DNS TTLs to make a hostname resolve first to an attacker server, then to an internal IP, bypassing the same-origin policy. It belongs to the Network Security category of cybersecurity.
What does DNS Rebinding mean?
A browser-side attack that abuses short DNS TTLs to make a hostname resolve first to an attacker server, then to an internal IP, bypassing the same-origin policy.
How does DNS Rebinding work?
In a DNS rebinding attack, the attacker controls an authoritative DNS server for a domain such as evil.example.com and returns very short TTLs. A victim's browser first resolves the hostname to the attacker's public IP and loads JavaScript, satisfying the same-origin policy. Moments later the attacker's DNS rebinds the same name to an internal address like 192.168.1.1, 127.0.0.1, or a cloud metadata IP (169.254.169.254). Because the origin (scheme, host, port) appears unchanged, the previously loaded JavaScript can now interact with the internal target's HTTP API, exfiltrating data or executing privileged actions. Defenses include host-header validation, authentication on internal services, DNS pinning, browser caches, and filtering RFC 1918 / metadata IPs from public resolvers.
How do you defend against DNS Rebinding?
Defences for DNS Rebinding typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DNS Rebinding?
Common alternative names include: Browser DNS rebinding.
● Related terms
- attacks№ 343
DNS Spoofing
An attack that injects falsified DNS responses to redirect victims from a legitimate domain to an attacker-controlled IP address.
- attacks№ 337
DNS Cache Poisoning
An attack that inserts forged records into a DNS resolver's cache so subsequent queries return attacker-chosen addresses until the TTL expires.
- attacks№ 338
DNS Hijacking
An attack that redirects DNS resolution to attacker-controlled answers by modifying client settings, router configurations, resolver responses, or authoritative DNS records.
- network-security№ 1112
Subdomain Takeover
An attack in which a dangling DNS record (often a CNAME) points to an unclaimed cloud or SaaS resource, letting an attacker register that resource and impersonate the subdomain.
- network-security№ 553
IP Address
A numeric identifier assigned to a network interface for routing across IP networks: 32 bits in IPv4 (RFC 791) or 128 bits in IPv6 (RFC 8200).
- network-security№ 501
HTTPS
HTTP carried over a TLS-protected connection, providing confidentiality, integrity, and server authentication for web traffic.