Browser’s DNS Rebinding Attacks

Web Servers Systems Networks Google
Advisory ID:
September 22, 2021


Cybercriminals have been discovered to be using a technique known as DNS rebinding to compromise internal networks by abusing web-based consoles. This method exposes the attack surface of internal web applications to malicious websites after being launched on victims' browsers. The DNS rebinding attack can use victims' browsers as a proxy to expand the attack surface to private networks.

Description & Consequence

The attacks begins with fooling victims into opening malicious websites with social engineering tactics such as sending phishing emails and cybersquatting. After launching a malicious site on victims' browsers, attackers look for private IP addresses and ports that host vulnerable services prior to launching the DNS rebinding attack. The open ports provide details regarding exposed web applications behind IP addresses. Moreover, using the WebRTC method, malicious websites can scan the open web services inside local networks. After locating the targeted services, an attacker's website can launch the DNS rebinding attack inside an iframe. The first request obtains the rebinding payload from a malicious hostname. This attack script continues to trigger repeated resolution for hostname till it rebinds to the targeted IP address. Then iframe can communicate continuously with the internal service without the victim’s knowledge.

The DNS rebinding attack can compromise victims' browsers as traffic tunnels to exploit private services. With this technique, attackers can steal confidential information and send forged requests to victims' servers. This attack targets network infrastructure devices with HTTP-based consoles, smart devices, Restful APIs and Universal Plug and Play protocols (UPnP) servers exposed to internal networks by modern IoT devices. Additionally, Personal routers could be vulnerable to the attack. Many of them are set up with default configuration and weak passwords. This means that would-be penetrators can easily guess their IP addresses and rebind malicious hostnames to them. After the attackers enter the network configuration panels, they could sniff the network packages in the victim's network, perform denial of service (DOS) attacks and hijack the traffic. Besides simply tunneling traffic for attackers, malicious websites can use the DNS rebinding technique to bypass token-based CSRF protection.


Browsers, resolvers and web applications have applied various protection strategies to defend against DNS rebinding attacks. However, there are advanced exploits that can bypass traditional defenses. In addition, it's harder to enforce complete protection as the internal network environment becomes more complex. There are several protective methods in practice today — Browser-based DNS pinning method; DNS-based using DNS caching software; Server-based mitigation implementing HTTPS communication on private services and; real-time DNS rebinding detection.

There are a few things that should help to mitigate the possibility of this attack:

  1. Use a trusted DNS service as the default resolver on your router. OpenDNS provides a free DNS service that can be configured to filter suspicious IP addresses (such as a private range coming from a public domain name) from the DNS responses. To implement this, you would need to change your router’s default DNS servers from your ISPs to the OpenDNS IP addresses.
  2. You can take filtering and control into your own hands by running your own trusted DNS that acts as the default DNS server and provides the filtering of suspicious IP addresses. Dnsmasq or an open router firmware (DD-WRT) would let you do this.
  3. Ensure that devices within your network (if they support it) only answer to authenticated HTTP requests and API calls.
  4. Longer term, we need a change in the security practices of developers to move away from trusting all devices on a network by default. A very simple initial step in this is to implement 'host header' validation on the HTTP server that is serving the requests. This can be a domain or an IP address, but it should ensure that the server that receives the HTTP request will validate that its own host matches the host being requested.




Related Articles