DNS Rebinding

DNS rebinding is an attack on the same-origin policy using the DNS system as the pivot. It causes a browser to apply the same-origin context of an attacker-controlled domain to responses from a private IP address, allowing a script on the attacker's page to read responses from localhost or internal network services on the victim's machine.

The Mechanism

The same-origin policy uses the origin of the page that loaded the script, not the IP address the browser connected to, when determining whether a script can read a response. The origin is scheme, hostname, and port. DNS is the binding between hostname and IP.

The attack proceeds in two phases:

Phase 1: The victim visits the attacker's page at attack.example.com. The DNS record for attack.example.com initially resolves to the attacker's server IP. The page loads and the browser caches the DNS resolution.

Phase 2: The attacker's server serves a page with JavaScript that makes repeated requests to attack.example.com. The attacker simultaneously changes the DNS record for attack.example.com to resolve to 192.168.1.1 (or any internal IP) with a TTL of 0. When the browser's DNS cache for the hostname expires and re-resolves, the new IP is returned. The browser now connects to the internal IP when making requests to attack.example.com, but the origin is still attack.example.com. The SOP check passes; the script reads the response from the internal service.

What It Reaches

DNS rebinding targets services bound to localhost or LAN addresses that do not require authentication because they assume only local processes or users can reach them. Common targets:

• Router administration interfaces (typically at 192.168.1.1) with default or no credentials
• Local development servers running on the victim's machine
• IoT device management pages on the local network
• Internal services in a corporate network when the victim's browser is on the corporate LAN

Relationship to SSRF

DNS rebinding and SSRF are related but distinct. SSRF uses the server's network position; DNS rebinding uses the client's network position. Both exploit the same underlying assumption: that network location implies trust.

DNS rebinding can be used to bypass SSRF defenses that resolve a hostname once at validation time and compare the resolved IP against a blocklist, then allow the request. If the DNS record changes between the validation resolution and the actual request, the validation checked a different IP than the one the connection reaches. This is the TOCTOU variant of DNS rebinding used specifically against SSRF defenses.

Defenses

For services that should only be locally accessible: bind only to localhost (127.0.0.1), not to all interfaces. Require authentication even for local requests. Set the Host header validation to reject requests with unexpected hostnames (a request to 192.168.1.1 via DNS rebinding carries Host: attack.example.com, which can be detected and rejected). Private Network Access (formerly CORS-RFC1918) is a browser-level mitigation that requires a CORS preflight with a specific header before a public origin can make requests to private IP ranges.

For SSRF defenses: re-resolve the hostname immediately before making the connection (not just at validation time), or use a single resolved IP for both validation and connection to prevent the TTL-based rebind between checks.