What is next in AI Security
Register Today
Table of contents
Network Security

What Is DNS Rebinding? [Examples + Protection Tips]

7 min. read
Table of contents

 

DNS rebinding is an attack that tricks a browser into treating an external domain as if it belongs to the internal network.

It works by repeatedly resolving the same domain name to different IP addresses, starting with one controlled by the attacker and later switching to an internal address. This allows scripts from a malicious site to bypass browser security controls and interact with devices on the private network.

 

How does DNS rebinding work?

Here's how DNS rebinding works: 

It starts when a user visits a malicious site set up by the attacker. That site is tied to a domain the attacker owns, which points to a DNS server under their control.

The attacker's DNS server first resolves the domain to the attacker's own web server. The page loads normally. But behind the scenes, it serves client-side code—usually JavaScript—that makes additional requests back to the same domain.

Architecture diagram titled 'Mechanism of DNS rebinding' shows the interaction between a user in a private network and an attacker in a public network. On the left, the user side includes a laptop labeled 'User,' a 'Victim browser,' and a 'Private web server (192.0.0.1).' On the right, the attacker side includes a 'Malicious DNS server (1.2.3.4)' and a 'Malicious web server (5.6.7.8).' The diagram illustrates six steps. In step 1, the victim browser sends a DNS request asking for the IP of 'attack.com' to the malicious DNS server. In step 2, the DNS server responds that the IP of attack.com is 5.6.7.8. In step 3, the browser receives and loads a rebinding script from the malicious web server. In step 4, the browser again asks for the IP of attack.com. In step 5, the DNS server responds with a different IP: 192.0.0.1, which is an internal address. In step 6, cross-origin communication is established between the victim browser and the internal private web server, using the attacker's domain that has now resolved to an internal IP address. The public and private network areas are visually separated by a vertical dashed line.

Here's the trick. 

The attacker sets a very short time-to-live (TTL) on the original DNS record. When the browser makes another DNS request for the same domain, the attacker responds with a new IP address—this time, one that points to a device inside the victim's private network.

In other words: the domain now resolves to a private IP address, but the browser still considers it the same origin. That means the original script can now reach internal systems—like routers, printers, or internal APIs—without triggering cross-origin restrictions.

From there, the attacker can probe the local network or extract data. 

The attack works because DNS is separate from browser origin checks, and DNS records can be changed mid-session. It’s a method that bypasses one of the core safeguards of modern browsers—the same-origin policy—without directly breaking it.

 

What are some examples of DNS rebinding?

DNS rebinding has shown up in various real-world attacks across both consumer and enterprise environments. In each case, attackers used browsers as a pivot point to reach internal systems that would normally be off-limits.

Let's look at a few examples that show how this works in practice.

Penetrating private networks with DNS rebinding

In one example, attackers used a tool called Singularity to scan an internal network through a victim's browser. 

The process began like most phishing-based attacks: convincing the victim to visit a malicious website. Once loaded, the site used timing-based techniques to identify internal IPs and open ports.

A screenshot titled 'The result of internal network scanning by Singularity' shows a browser window with the URL 'rebinder.dns-rebinding-attackDOTcom:8088/scan-manager.html' and a 'Not Secure' warning in the address bar. The interface displays a section labeled 'Singularity of Origin Experimental Port Scanner' with two input fields. The first field, labeled 'IP address specification,' contains the value '10.0.0.0-10.' The second field, labeled 'Ports specification,' contains the value '80,443,1080,8080-8090.' Below these fields are two buttons: 'Scan' and 'Get Address+Scan().' The 'Results' section underneath displays JSON-formatted output showing successful scans of IP addresses and ports, including multiple entries for targets at 10.0.0.6 on ports 80 and 8080, and 10.0.0.7 on port 80. Each entry includes fields for 'error,' 'start,' 'end,' 'duration,' and 'target' with corresponding address and port values.

From there, the attacker’s site issued repeated DNS requests to rebind its domain name to an internal IP.

The image shows a browser window displaying a web interface titled 'Singularity of Origin DNS Rebinding Attack.' The page includes fields for entering an attack host domain, attack host IP, target host IP, and target port. The attack host is set to 54.183.63.248, the target host is 10.0.0.6, and the target port is 8088. The 'Attack Payload' dropdown menu is set to 'Hook and Control.' On the right side of the image, the browser’s developer tools are open to the 'Headers' tab, showing the request URL highlighted in red. The request URL is “http://s-54.183.63.248-10.0.0.6...dynamic.dns-rebinding-attackDOTcom:8088/cluster.” Additional fields below show the request method as GET, the status code as 200 OK, and the remote address as [::1]:1081. The page's URL in the browser address bar is 'rebinder.dns-rebinding-attack.com:8088/manager.html' and it is marked 'Not Secure.

After the rebind, the script could interact with local devices as if it were part of the same network. That’s how attackers gained access to systems running on private IPs—without the victim ever knowing.

Attacking routers and IoT devices

Another common use case involves targeting consumer-grade routers and smart devices.

These often run local web interfaces that aren't exposed to the public internet but are reachable from inside the network. Many also use default credentials or have weak access controls.

The architecture diagram illustrates a DNS rebinding attack on a smart home device. On the left, a browser and a local smart home device are shown inside the local network. In the center, a vertical red firewall labeled 'FIREWALL' separates the local network from the internet. On the right, an attack server is shown on the public side. An arrow labeled '1' travels from the browser to the attack server, indicating an initial outbound request. A second arrow labeled '2' flows from the attack server to the local smart home device, passing through the firewall, representing the redirected request that reaches the internal device.

Here’s why this matters.

Attackers can guess the default IP address of these devices and rebind their malicious domain to it. Once that happens, scripts can open admin panels, change DNS settings, or even reroute traffic.

Smart devices with web-based controls or open APIs are especially at risk.

Accessing internal enterprise applications

In a simulated environment, Unit 42 researchers demonstrated an attack on a Hadoop management interface.

The image shows a web browser window displaying the Hadoop web interface, specifically the Cluster Metrics page. In the address bar at the top, the URL is highlighted and reads '10.0.0.6:8088/cluster,' indicating access via a private IP address. The interface includes sections labeled Cluster, Scheduler, and Tools on the left-hand menu. The main panel displays tables for Cluster Nodes Metrics and Scheduler Metrics, listing various application and system status categories. No data is currently displayed in the entries section. A caption to the right of the image reads, 'Internal Hadoop web interface accessible at private IP address (10.0.0.6).'

The service wasn’t publicly accessible. But once the browser rebounded the hostname to its internal IP, the attacker could reach the page from the malicious domain.

The image shows a web browser window displaying the Hadoop web interface's Cluster Metrics page. The browser’s address bar at the top highlights a URL that reads '3681473179.rebinder.dns-rebinding-attackDOTcom:8081,' indicating the interface is being accessed through a rebound malicious domain. The page layout includes a left-hand navigation menu labeled Cluster with items such as About, Nodes, Node Labels, and Applications. The main panel displays empty tables for Cluster Nodes Metrics and Scheduler Metrics. A caption to the left of the image states, 'Hadoop interface accessed through a rebound malicious domain.'

From there, they could view cluster status or even kill jobs on the management page.

That’s a serious problem—especially in enterprise environments where admin portals control critical workflows.

Without strong internal segmentation and DNS protections, these interfaces become easy targets.

Bypassing CSRF protections

DNS rebinding can also be used to bypass cross-site request forgery (CSRF) defenses.

Normally, CSRF protections rely on the same-origin policy to block attackers from reading tokens embedded in pages. But rebinding removes that safeguard.

The image shows a browser window with developer tools open, displaying the Headers and Console tabs. A PUT request is shown under the General section with a Request URL that includes a domain generated through DNS rebinding: 'http://s-54.183.63.248-0.0.0.0-332af31665-fs-e.dynamic.dns-rebinding-attackDOTcom:8081/web_console/req1_sessions/4dadc281502eb31e166f70935f99fbf.' The status code is 200 OK, and the request method is PUT. In the Console panel at the bottom, the session ID '4dadc281502eb31e166f70935f99fbf' is echoed again as part of a script that outputs 'Hello from rebinding test.' A caption to the right of the browser window states, 'Target internal web application rendered on attacker’s browser.'

In one Unit 42 test, a Rails application used session-specific tokens to authorize commands.

The attacker used DNS rebinding to fetch the main page, extract the token, and then send a valid request to a vulnerable API. That request executed a command on the server.

The test showed how even token-based protections can be bypassed if origin checks are undermined.

 

What are the potential consequences of DNS rebinding?

The image presents a two-column visual titled 'Potential consequences of DNS rebinding.' On the left, a heading appears in bold above a vertical list of four square icons representing different outcomes: 'Unauthorized access to internal systems,' 'Data exfiltration,' 'Service manipulation or abuse,' and 'Bypassing CSRF protection.' Each icon is orange with a corresponding white line drawing. On the right, four additional consequences are listed in a matching style: 'Compromise of IoT & smart devices,' 'Network reconnaissance,' 'Compliance violations & regulatory risk,' and 'Reputational harm.' Each item is paired with a unique icon symbolizing the type of impact.

DNS rebinding opens the door to a range of security issues that affect both individuals and organizations. 

Here's a breakdown of the most common and impactful outcomes:

  • Unauthorized access to internal systems

    Attackers can use DNS rebinding to reach devices and services inside a private network. These might include routers, development consoles, or APIs that are normally inaccessible from the internet. Once connected, they can interact with those resources without triggering standard security protections.

  • Data exfiltration

    By gaining access to internal systems, attackers can extract sensitive information. That could include credentials, configuration data, or customer records stored in backend applications. In many cases, this happens silently through the victim's own browser.

  • Service manipulation or abuse

    Some internal applications allow configuration changes or administrative actions. DNS rebinding can let attackers reach those interfaces and issue commands. This could involve disabling security settings, restarting systems, or interrupting services.

    Note:
    Some internal web apps expose functionality via undocumented or legacy endpoints, which are often overlooked in standard vulnerability scans but may still be accessible via DNS rebinding.

  • Bypassing CSRF protection

    DNS rebinding can undermine web application defenses against cross-site request forgery. Normally, these protections rely on the same-origin policy to prevent attackers from reading tokens. But if the attacker's domain is rebound to a private system, those restrictions no longer apply.

    Note:
    Because rebinding removes the origin mismatch, attackers can capture dynamic tokens from initial page loads and reuse them in subsequent forged requests—essentially chaining session-dependent actions within a trusted context.

  • Compromise of IoT and smart devices

    DNS rebinding is especially effective against smart devices that expose local web services. These often include limited authentication. Once rebound, attackers can control features, extract sensor data, or use the device for further scanning.

  • Network reconnaissance

    Attackers can use the victim's browser to probe internal networks. Timing-based techniques or WebRTC requests can reveal available services and open ports. That information helps attackers map the environment for later stages of compromise.

    Note:
    DNS rebinding-based reconnaissance is difficult to detect in real time because it piggybacks on legitimate browser activity, often leaving no obvious traces in conventional intrusion detection systems.

  • Compliance violations and regulatory risk

    If DNS rebinding leads to a breach of personal or regulated data, organizations may face legal consequences. This includes fines, audits, or sanctions under laws like GDPR or CCPA. Even unintentional exposure can trigger regulatory action.

    Note:
    Even when no data is exfiltrated, the mere exposure of internal systems via DNS rebinding may be considered a reportable security incident under some regulatory frameworks, depending on jurisdiction and industry.

  • Reputational harm

    Security incidents involving DNS rebinding can erode stakeholder trust. Customers may lose confidence in the organization's ability to protect data. Rebuilding that trust can take time and require significant public communication efforts.

 

How to protect against DNS rebinding attacks

The image shows a circular infographic titled 'How to protect against DNS rebinding attacks.' At the center is a gray shield icon surrounded by three labeled sections branching out: Detection in orange, Mitigation in purple, and Prevention in blue. The Detection section lists three steps: 'Check for private IPs in DNS responses,' 'Monitor browser behavior,' and 'Scan DNS and network logs.' The Mitigation section includes: 'Enable DNS pinning in browsers,' 'Filter DNS responses with private IPs,' 'Use HTTPS for internal services,' and 'Require authentication on internal services.' The Prevention section outlines: 'Use DNS services with rebinding protections,' 'Restrict JavaScript execution,' 'Segment internal networks,' 'Enforce host header validation on servers,' and 'Apply CORS & content security policies.'

While DNS rebinding itself is a technique, its implications are broad. It can be difficult to detect and even harder to prevent.

So the response needs to be layered. Detect early, block suspicious behavior, and configure systems to reject unauthorized access—regardless of how the request got through.

Here's how to approach the issue from a detection, mitigation, and prevention standpoint.

Detection

  • Check for private IPs in DNS responses

    Use DNS lookup tools like dig to inspect whether a domain resolves to both public and private IP addresses. If the response alternates between external and internal IPs, it could indicate DNS rebinding.

  • Monitor browser behavior

    Look for signs like repeated DNS queries to the same domain or unexpected requests to internal IP ranges. JavaScript errors related to cross-origin restrictions can also point to DNS rebinding in progress.

  • Scan DNS and network logs

    Examine DNS logs and firewall activity for patterns such as frequent A record changes from a single domain. Tools like Zeek or Wireshark can help identify external sites attempting to reach private IPs through a victim browser.

    Tip:
    Look for DNS queries that alternate between public and private IPs from the same domain within a short time window—especially when the public IP appears only briefly before switching. These short-lived records are often overlooked in coarse-grained log reviews.

The image is a teal-colored call-to-action banner with white text on the right and an icon on the left. The icon consists of a stylized clipboard with a checkmark and pen. The text on the right reads: 'Gain visibility and identify potential compromise in your environment. Learn about the Unit 42 Compromise Assessment.' Below the text is a white-outlined button with the words 'Learn more' centered inside.

Mitigation

  • Enable DNS pinning in browsers

    Modern browsers may implement DNS pinning, which caches DNS results for a set time regardless of the TTL. This can block basic time-based rebinding attempts by reusing the original IP.

  • Filter DNS responses with private IPs

    Configure DNS resolvers to block responses that return private, loopback, or non-routable IPs. This can reduce exposure to attacks that try to rebind hostnames to internal systems.

    Tip:
    Also monitor for CNAME chains that ultimately resolve to private IPs. Attackers may use this to bypass direct A-record filtering by rebinding to internal systems via an intermediate alias.

  • Use HTTPS for internal services

    HTTPS helps validate server identities during connection setup. Since rebinding changes the domain but not the certificate, browsers will reject mismatched SSL handshakes—making rebinding less effective.

  • Require authentication on internal services

    Strong credentials add another barrier. If attackers reach a service via DNS rebinding, authentication can stop them from interacting with it.

The image is a teal-colored call-to-action banner with white text on the right and an icon on the left. The icon shows a stylized silhouette of an attacker figure surrounded by multiple circles of varying sizes, representing an abstract attack surface. The text on the right reads: 'See your attack surface through the eyes of an adversary. Learn about the Unit 42 Attack Surface Assessment.' Below the text is a white-outlined button with the words 'Learn more' centered inside.

Prevention

  • Use DNS services with rebinding protections

    Some DNS solutions automatically block responses that resolve external hostnames to internal IP addresses. Choose providers or local resolvers that include this protection.

    Tip:
    Choose DNS services that maintain contextual threat intelligence—such as historical rebinding behavior or associations with known exploit kits—rather than relying solely on static IP blocklists.

  • Restrict JavaScript execution

    Limit where and how scripts can run in the browser. This can reduce the ability of attacker-controlled websites to issue repeated DNS queries or execute rebinding payloads.

  • Enforce host header validation on servers

    Configure internal web servers to reject requests with unexpected or unknown Host headers. This ensures that even if rebinding is successful, the server won't respond to requests sent through falsified domains.

  • Apply CORS and content security policies

    Use strict cross-origin resource sharing (CORS) rules and content security policies on internal applications. These browser-level protections make it harder for scripts to interact with resources that aren't explicitly allowed.

  • Segment internal networks

    Limit which devices can talk to each other. Even if DNS rebinding grants access to a particular resource, segmentation can prevent lateral movement to other sensitive areas.

The image is a teal-colored call-to-action banner with white text on the right and an icon on the left. The icon consists of a globe overlaid with interconnected nodes, surrounded by a circular network pattern, and includes a small browser window symbol in the lower right. The text on the right reads: 'Stop new DNS-layer attacks today. Get a 90-day Advanced DNS Security free trial.' Below the text is a white-outlined button with the words 'Start your free trial' centered inside.

 

DNS rebinding FAQs

DNS rebinding tricks a browser into treating an external domain as part of the internal network. It bypasses the same-origin policy by switching a domain’s IP from a public address to a private one, allowing malicious scripts to access internal systems through the user’s browser.
Mitigation includes enabling DNS pinning, filtering private IP responses at the resolver, enforcing HTTPS and authentication for internal services, and rejecting HTTP requests with unrecognized Host headers. These measures block or limit the attacker’s ability to rebind and interact with internal resources.

Related content

Get the latest news, invites to events, and threat alerts