DNS Rebinding Check
developer/v1/dns/rebindingTests if a domain's DNS configuration is vulnerable to DNS rebinding attacks — referenced in OWASP Top 10 (2021) A10: Server-Side Request Forgery. DNS rebinding is a subset of SSRF attacks that exploits DNS to bypass same-origin policy and access internal networks.
What It Does
DNS rebinding is the rotation of a domain's answer between public and private addresses across queries — that's how attackers escape the same-origin policy. This endpoint runs the actual rotation test: 3 queries spaced 2 seconds apart, with `cd=1` to bypass resolver-side filtering, looking for round-to-round changes in the IP set's public/private mix. In parallel it queries multiple public resolvers (Cloudflare, Google, Quad9) and reports which ones drop RFC 1918 results per RFC 6303 — telling you which of your actual users (depending on which resolver they use) are exposed. Static checks still run: detection of RFC 1918, loopback (127/8), link-local (169.254/16), cloud metadata (169.254.169.254), CGNAT (RFC 6598), TEST-NET ranges (RFC 5737), and the IPv6 equivalents (fc00::/7, fe80::/10, NAT64, Teredo, 6to4).
Why It's Useful
Most "DNS rebinding checkers" only test for static private IPs and call that "rebinding" — but real rebinding is *rotation*, not static misconfiguration. The multi-query rotation test makes the endpoint live up to its name. The multi-resolver filter visibility answers the question users actually have: "are my users exposed?" — public resolvers (1.1.1.1, 8.8.8.8) drop RFC 1918 per RFC 6303, but internal corporate resolvers often don't, and the response shows you which.
Use Cases
Web Application Security
Assess if any external domains used by your application could resolve to internal IPs. Critical for applications that fetch user-supplied URLs (image proxies, OAuth callbacks).
Identify and mitigate DNS rebinding risks before exploitation.
Internal Network Protection
Evaluate if external domains could be used to rebind to internal services.
Protect internal services from browser-based rebinding attacks.
SSRF Prevention Validation
Validate that your SSRF protection correctly blocks DNS rebinding — test domains should not resolve to private IPs even with low TTLs.
Verify SSRF defenses against DNS-based bypasses before deployment.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check for rebinding vulnerabilityExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
is_vulnerable | boolean | True if rotation was observed (real rebinding) OR static private IPs were found |
risk | string | Risk level: low, medium, high |
rotation_detected | boolean | True iff at least one round saw private IPs AND at least one round saw public IPs across the multi-query test — the textbook rebinding signature |
rounds_with_private | number | Number of probe rounds that returned at least one private IP |
rounds_with_public | number | Number of probe rounds that returned at least one public IP |
rotation_rounds | array | Per-round detail: round, ips[], has_private, has_public, elapsed_ms (3 rounds spaced 2s apart with cd=1) |
resolver_filter | array | Per-resolver visibility (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9): resolver, ips[], private_ips_returned[], filters_private. Distinguishes which of your users (depending on resolver) are exposed. |
any_resolver_leaks_private | boolean | True if at least one resolver returned a private IP without filtering it (RFC 6303) |
has_multiple_ips | boolean | Whether domain resolves to multiple IP addresses |
ips | array | IPv4 addresses the domain resolves to |
ipv6_ips | array | IPv6 addresses the domain resolves to |
has_private_ip | boolean | Whether any resolved IP is in a private range |
private_ips | array | Private/internal IP addresses found |
has_low_ttl | boolean | Whether TTL is below 60 seconds (rebinding indicator) |
min_ttl | number | Minimum TTL value across DNS records |
has_cname | boolean | Whether a CNAME record was found |
cname_target | string | CNAME target hostname if present |
explanation | string | Human-readable explanation of the rebinding assessment |
Code Examples
curl "https://api.edgedns.dev/v1/dns/rebinding" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/rebinding?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/rebinding',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full DNS Rebinding Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the DNS Rebinding Check endpoint live in the playground.