← Lessons

quiz vs the machine

Platinum1660

Security

DNS Rebinding

Abusing changing DNS answers to reach private network services from a browser.

5 min read · advanced · beat Platinum to climb

Turning A Browser Into A Proxy

DNS rebinding tricks a victim's browser into talking to internal services that the attacker cannot reach directly. The attacker controls a domain whose DNS answer changes from their own server to a private address after the page loads.

The Sequence

  • The victim visits the attacker domain, which first resolves to the attacker's server.
  • Script on the page keeps the page open while the DNS record is rebound to an internal IP.
  • The browser, still treating it as the same origin, now sends requests to the internal host.

Defenses

  • Have services validate the Host header and reject unexpected names.
  • Block responses that resolve public names to private IP ranges at the resolver.
  • Require authentication on internal services rather than trusting network location.

Key idea

DNS rebinding swaps a domain to a private IP after load so the browser reaches internal services, so validate Host headers and authenticate internal endpoints.

Check yourself

Answer to earn rating on the learn ladder.

1. What does DNS rebinding change after the page loads?

2. Which defense is most robust for internal services?