# Week 47 - DNS Re-binding Today’s web hacking tip involves a unique way of bypassing [#SSRF](https://www.linkedin.com/feed/hashtag/?keywords=ssrf\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7009143195905216512) protections: DNS re-binding.\ \ DNS re-binding involves alternating between 2 different IP addresses associated with a specific domain. This can be accomplished using a short TTL: time to live before re-checking what IP the domain maps to. After a couple of seconds, the domain will be associated with the other IP. It will keep switching between the two.\ \ This works because the application may have a firewall that will not allow a domain pointing to localhost, so it will be blocked. The idea with this attack is to have the domain change what IP it resolves to. So upon the request going through the firewall, the domain will resolve to a random (allowed) IP address, but upon the web server getting the domain and issuing a request to it, it will resolve to localhost (and we will have SSRF).\ \ Optionally, you can point the domain to an IP address you own and include some JavaScript on the index page to initiate a request to an internal application/system. Both are good options for bypassing SSRF protections.\ \ A great tool to use that will automatically provide you with a domain that alternates between two IP’s you specify is: \ \ Just plug your target IP (like localhost) in with an allowed public one, and then send a couple of requests through Burp Repeater!\ \ Defenses:\ -Map domains to a specific IP\ -Disallow JavaScript from running\ -Disallow short TTL’s (time to live) on domains ![](/files/CWYe7tfAdLmzQj5dBJAq) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/week-47-dns-re-binding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.