MCP (Model Context Protocol) servers, which mediate AI access to internal resources, are vulnerable to DNS rebinding attacks that can bypass same-origin protections and expose internal APIs, data, and credentials. Defenses include network segmentation, host/IP validation, mTLS, DNSSEC, application allowlists, monitoring for rapid DNS changes, and incident response procedures. #ModelContextProtocol #DNSRebinding
Keypoints
- MCP servers act as middleware for LLMs to access external and internal resources, creating a high-value attack surface.
- DNS rebinding manipulates DNS responses to make a trusted domain resolve to internal IPs, bypassing same-origin protections.
- MCP implementations that validate only hostnames (not IPs) or trust specific domains are particularly susceptible.
- Successful attacks can lead to data exfiltration, command injection, credential exposure, and lateral movement across backend systems.
- Prevention requires segregation of MCP servers from the public internet, strict firewall rules, and multi-layered host/IP validation.
- Detection relies on DNS query monitoring, IDS/IPS rules for TTL and private-IP responses, SNI mismatches, and anomaly detection in MCP logs and AI behaviors.
- Incident response should include isolation, credential rotation, forensic log analysis, recovery hardening, and post-incident reviews.
MITRE Techniques
- [T1574] DNS Manipulation – Attackers change DNS responses to point a previously trusted domain to internal IPs, enabling requests to internal resources (“the attacker’s DNS server changes its response, now pointing the same domain to an internal IP address within the victim’s network”).
- [T1190] Exploit Public-Facing Application – Exploiting hostname-based validation in MCP servers that are publicly reachable or accessible via AI integrations (“MCP servers should never be directly accessible from the public internet” and “when an MCP server accepts connections based on hostname validation without proper IP address verification, it becomes susceptible”).
- [T1078] Valid Accounts – Abuse of trusted relationships and credentials or API keys held by MCP servers to access backend systems (“These servers are often configured to trust requests from specific AI services or domains” and “they might have access to multiple backend systems, API keys, or service credentials”).
- [T1041] Exfiltration Over C2 Channel – Data exfiltration via rebinding-induced requests to MCP servers to read sensitive responses (“Simple attacks might focus on data exfiltration, using the rebinding to read sensitive information from the MCP server’s responses”).
- [T1609] Container and Resource Hijacking (related) – Leveraging elevated privileges of MCP servers to execute functions or manipulate integrated services (“A successful DNS rebinding attack could provide an attacker with a foothold into numerous critical systems, not just the MCP server itself”).
Indicators of Compromise
- [Domain ] malicious domain used to perform rebinding – example: attacker-controlled domain that initially serves exploit code then resolves to internal IP (no specific domain names provided).
- [DNS Record/TTL ] rapid DNS TTL changes and records resolving to both public and private IPs – example: domain resolving to external IP then to 10.0.0.5 within short window (general pattern; no explicit records provided).
- [Network/IP ] unexpected internal-targeted connections from trusted-looking hostnames – example: requests with SNI for a trusted domain resolving to private IP ranges like 10.0.0.0/8 or 192.168.0.0/16 (no specific IPs listed).
- [Log Anomalies ] authentication failures and unusual request patterns in MCP server logs – example: sudden access attempts to multiple backend systems and unexpected API calls (general behavior indicators rather than specific filenames/hashes).
Read more: https://www.varonis.com/blog/model-context-protocol-dns-rebind-attack