Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.nccgroup.com/research-blog/impact-of-dns-over-https-doh-on-dns-rebinding-attacks/
• Blog Title: Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
• Suggested Section: Pentesting Web -> Web Vulnerabilities Methodology (new dedicated 'DNS Rebinding over DoH' / 'DNS Rebinding' subsection, cross-linked from SSRF / Browser attacks / Special HTTP headers-DNS behaviors)

🎯 Content Summary

This post analyzes how DNS over HTTPS (DoH, RFC 8484) affects DNS rebinding attacks and evaluates DoH providers’ claimed protections using NCC Group’s DNS rebinding framework Singularity of Origin. The core finding is that DoH does not mitigate DNS rebinding. All existing rebinding strategies, including fast strategies (multiple answers and DNS cache flooding), remain fully functional over DoH, and common DoH-side “r...

🔧 Technical Details

DNS rebinding via dynamic host-to-IP remapping
The core trick is to exploit the browser’s origin definition (scheme, host, port) by dynamically changing the IP address that a fixed hostname resolves to. An attacker first maps their domain to an attacker-controlled IP to serve malicious JavaScript and establish an origin. After the page loads, the authoritative DNS for that domain changes its responses so that the same hostname now resolves to a localhost or internal IP (e.g. 127.0.0.1 or 192.168.1.10). The browser still considers the origin the attacker’s hostname, so SOP allows the JavaScript to interact with the internal/localhost service as if it were same‑origin, enabling data exfiltration, privileged operations, or remote code execution where the target service is vulnerable.

“First then second” rebinding strategy
This strategy provides a reliable way to rebind any hostname. The attacker’s DNS server returns the attack...

🤖 Agent Actions

Summary:

• Expanded the DNS rebinding section in src/pentesting-web/cors-bypass.md with a dedicated “DNS Rebinding over DNS-over-HTTPS (DoH)” subsection that explains why DoH transport does not mitigate rebinding, details how Singularity’s first-then-second and multiple-answer strategies operate (including the timing fix for repeated Firefox DoH queries), and covers bypasses for advertised DoH “rebind protections” such as abusing 0.0.0.0 and CNAME indirection.
• Documented browser-specific DoH behaviors (Firefox fallback vs. Chrome’s conditional DoH), and added practical guidance for enabling, probing, and inspecting DoH traffic via browser settings, curl, Burp/ZAP, and Wireshark with SSLKEYLOGFILE.
• Updated the references list to credit the NCC Group research post that provided the DoH-focused findings.

Tests: Not run (not requested).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.nccgroup.com/research-blog/impact-of-dns-over-https-doh-on-dns-rebinding-attacks/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Web Vulnerabilities Methodology (new dedicated 'DNS Rebinding over DoH' / 'DNS Rebinding' subsection, cross-linked from SSRF / Browser attacks / Special HTTP headers-DNS behaviors)".

Repository Maintenance:

• MD Files Formatting: 920 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0