[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Network Security](https://www.paloaltonetworks.com/cyberpedia/network-security?ts=markdown) 3. [What Is DNS Rebinding? \[Examples + Protection Tips\]](https://www.paloaltonetworks.com/cyberpedia/what-is-dns-rebinding?ts=markdown) Table of contents * [How does DNS rebinding work?](#how-does-dns-rebinding-work) * [What are some examples of DNS rebinding?](#what-are-some-examples-of-dns-rebinding) * [What are the potential consequences of DNS rebinding?](#what-are-some-examples-of-dns-rebinding) * [How to protect against DNS rebinding attacks](#how-to-protect-against-dns-rebinding-attacks) * [DNS rebinding FAQs](#dns-rebinding-faqs) # What Is DNS Rebinding? \[Examples + Protection Tips\] 7 min. read Table of contents * [How does DNS rebinding work?](#how-does-dns-rebinding-work) * [What are some examples of DNS rebinding?](#what-are-some-examples-of-dns-rebinding) * [What are the potential consequences of DNS rebinding?](#what-are-some-examples-of-dns-rebinding) * [How to protect against DNS rebinding attacks](#how-to-protect-against-dns-rebinding-attacks) * [DNS rebinding FAQs](#dns-rebinding-faqs) 1. How does DNS rebinding work? * [1. How does DNS rebinding work?](#how-does-dns-rebinding-work) * [2. What are some examples of DNS rebinding?](#what-are-some-examples-of-dns-rebinding) * [3. What are the potential consequences of DNS rebinding?](#what-are-some-examples-of-dns-rebinding) * [4. How to protect against DNS rebinding attacks](#how-to-protect-against-dns-rebinding-attacks) * [5. DNS rebinding FAQs](#dns-rebinding-faqs) DNS rebinding is an attack that tricks a browser into treating an external domain as if it belongs to the internal network. It works by repeatedly resolving the same domain name to different IP addresses, starting with one controlled by the attacker and later switching to an internal address. This allows scripts from a malicious site to bypass browser security controls and interact with devices on the private network. ## How does DNS rebinding work? Here's how [DNS](https://www.paloaltonetworks.com/cyberpedia/what-is-dns) rebinding works: It starts when a user visits a malicious site set up by the attacker. That site is tied to a domain the attacker owns, which points to a DNS server under their control. The [attacker's DNS](https://www.paloaltonetworks.com/cyberpedia/what-is-a-dns-attack) server first resolves the domain to the attacker's own web server. The page loads normally. But behind the scenes, it serves client-side code---usually JavaScript---that makes additional requests back to the same domain. ![Architecture diagram titled 'Mechanism of DNS rebinding' shows the interaction between a user in a private network and an attacker in a public network. On the left, the user side includes a laptop labeled 'User,' a 'Victim browser,' and a 'Private web server (192.0.0.1).' On the right, the attacker side includes a 'Malicious DNS server (1.2.3.4)' and a 'Malicious web server (5.6.7.8).' The diagram illustrates six steps. In step 1, the victim browser sends a DNS request asking for the IP of 'attack.com' to the malicious DNS server. In step 2, the DNS server responds that the IP of attack.com is 5.6.7.8. In step 3, the browser receives and loads a rebinding script from the malicious web server. In step 4, the browser again asks for the IP of attack.com. In step 5, the DNS server responds with a different IP: 192.0.0.1, which is an internal address. In step 6, cross-origin communication is established between the victim browser and the internal private web server, using the attacker's domain that has now resolved to an internal IP address. The public and private network areas are visually separated by a vertical dashed line.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_1.png "Architecture diagram titled 'Mechanism of DNS rebinding' shows the interaction between a user in a private network and an attacker in a public network. On the left, the user side includes a laptop labeled 'User,' a 'Victim browser,' and a 'Private web server (192.0.0.1).' On the right, the attacker side includes a 'Malicious DNS server (1.2.3.4)' and a 'Malicious web server (5.6.7.8).' The diagram illustrates six steps. In step 1, the victim browser sends a DNS request asking for the IP of 'attack.com' to the malicious DNS server. In step 2, the DNS server responds that the IP of attack.com is 5.6.7.8. In step 3, the browser receives and loads a rebinding script from the malicious web server. In step 4, the browser again asks for the IP of attack.com. In step 5, the DNS server responds with a different IP: 192.0.0.1, which is an internal address. In step 6, cross-origin communication is established between the victim browser and the internal private web server, using the attacker's domain that has now resolved to an internal IP address. The public and private network areas are visually separated by a vertical dashed line.") Here's the trick. The attacker sets a very short time-to-live (TTL) on the original DNS record. When the browser makes another DNS request for the same domain, the attacker responds with a new IP address---this time, one that points to a device inside the victim's private network. In other words: the domain now resolves to a private IP address, but the browser still considers it the same origin. That means the original script can now reach internal systems---like routers, printers, or internal APIs---without triggering cross-origin restrictions. From there, the attacker can probe the local network or extract data. The attack works because DNS is separate from browser origin checks, and DNS records can be changed mid-session. It's a method that bypasses one of the core safeguards of modern browsers---the same-origin policy---without directly breaking it. ## What are some examples of DNS rebinding? DNS rebinding has shown up in various real-world attacks across both consumer and enterprise environments. In each case, attackers used browsers as a pivot point to reach internal systems that would normally be off-limits. Let's look at a few examples that show how this works in practice. ### Penetrating private networks with DNS rebinding In one example, attackers used a tool called Singularity to scan an internal network through a victim's browser. The process began like most [phishing](https://www.paloaltonetworks.com/cyberpedia/what-is-phishing)-based attacks: convincing the victim to visit a malicious website. Once loaded, the site used timing-based techniques to identify internal IPs and open ports. ![A screenshot titled 'The result of internal network scanning by Singularity' shows a browser window with the URL 'rebinder.dns-rebinding-attackDOTcom:8088/scan-manager.html' and a 'Not Secure' warning in the address bar. The interface displays a section labeled 'Singularity of Origin Experimental Port Scanner' with two input fields. The first field, labeled 'IP address specification,' contains the value '10.0.0.0-10.' The second field, labeled 'Ports specification,' contains the value '80,443,1080,8080-8090.' Below these fields are two buttons: 'Scan' and 'Get Address+Scan().' The 'Results' section underneath displays JSON-formatted output showing successful scans of IP addresses and ports, including multiple entries for targets at 10.0.0.6 on ports 80 and 8080, and 10.0.0.7 on port 80. Each entry includes fields for 'error,' 'start,' 'end,' 'duration,' and 'target' with corresponding address and port values.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_2.png "A screenshot titled 'The result of internal network scanning by Singularity' shows a browser window with the URL 'rebinder.dns-rebinding-attackDOTcom:8088/scan-manager.html' and a 'Not Secure' warning in the address bar. The interface displays a section labeled 'Singularity of Origin Experimental Port Scanner' with two input fields. The first field, labeled 'IP address specification,' contains the value '10.0.0.0-10.' The second field, labeled 'Ports specification,' contains the value '80,443,1080,8080-8090.' Below these fields are two buttons: 'Scan' and 'Get Address+Scan().' The 'Results' section underneath displays JSON-formatted output showing successful scans of IP addresses and ports, including multiple entries for targets at 10.0.0.6 on ports 80 and 8080, and 10.0.0.7 on port 80. Each entry includes fields for 'error,' 'start,' 'end,' 'duration,' and 'target' with corresponding address and port values.") From there, the attacker's site issued repeated DNS requests to rebind its domain name to an internal IP. ![The image shows a browser window displaying a web interface titled 'Singularity of Origin DNS Rebinding Attack.' The page includes fields for entering an attack host domain, attack host IP, target host IP, and target port. The attack host is set to 54.183.63.248, the target host is 10.0.0.6, and the target port is 8088. The 'Attack Payload' dropdown menu is set to 'Hook and Control.' On the right side of the image, the browser’s developer tools are open to the 'Headers' tab, showing the request URL highlighted in red. The request URL is “http://s-54.183.63.248-10.0.0.6...dynamic.dns-rebinding-attackDOTcom:8088/cluster.” Additional fields below show the request method as GET, the status code as 200 OK, and the remote address as \[::1\]:1081. The page's URL in the browser address bar is 'rebinder.dns-rebinding-attack.com:8088/manager.html' and it is marked 'Not Secure.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_3.png "The image shows a browser window displaying a web interface titled 'Singularity of Origin DNS Rebinding Attack.' The page includes fields for entering an attack host domain, attack host IP, target host IP, and target port. The attack host is set to 54.183.63.248, the target host is 10.0.0.6, and the target port is 8088. The 'Attack Payload' dropdown menu is set to 'Hook and Control.' On the right side of the image, the browser’s developer tools are open to the 'Headers' tab, showing the request URL highlighted in red. The request URL is “http://s-54.183.63.248-10.0.0.6...dynamic.dns-rebinding-attackDOTcom:8088/cluster.” Additional fields below show the request method as GET, the status code as 200 OK, and the remote address as [::1]:1081. The page's URL in the browser address bar is 'rebinder.dns-rebinding-attack.com:8088/manager.html' and it is marked 'Not Secure.") After the rebind, the script could interact with local devices as if it were part of the same network. That's how attackers gained access to systems running on private IPs---without the victim ever knowing. ### Attacking routers and IoT devices Another common use case involves targeting consumer-grade routers and smart devices. These often run local web interfaces that aren't exposed to the public internet but are reachable from inside the network. Many also use default credentials or have weak access controls. ![The architecture diagram illustrates a DNS rebinding attack on a smart home device. On the left, a browser and a local smart home device are shown inside the local network. In the center, a vertical red firewall labeled 'FIREWALL' separates the local network from the internet. On the right, an attack server is shown on the public side. An arrow labeled '1' travels from the browser to the attack server, indicating an initial outbound request. A second arrow labeled '2' flows from the attack server to the local smart home device, passing through the firewall, representing the redirected request that reaches the internal device.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_4.png "The architecture diagram illustrates a DNS rebinding attack on a smart home device. On the left, a browser and a local smart home device are shown inside the local network. In the center, a vertical red firewall labeled 'FIREWALL' separates the local network from the internet. On the right, an attack server is shown on the public side. An arrow labeled '1' travels from the browser to the attack server, indicating an initial outbound request. A second arrow labeled '2' flows from the attack server to the local smart home device, passing through the firewall, representing the redirected request that reaches the internal device.") Here's why this matters. Attackers can guess the default IP address of these devices and rebind their malicious domain to it. Once that happens, scripts can open admin panels, change DNS settings, or even reroute traffic. Smart devices with web-based controls or open APIs are especially at risk. ### Accessing internal enterprise applications In a simulated environment, Unit 42 researchers demonstrated an attack on a Hadoop management interface. ![The image shows a web browser window displaying the Hadoop web interface, specifically the Cluster Metrics page. In the address bar at the top, the URL is highlighted and reads '10.0.0.6:8088/cluster,' indicating access via a private IP address. The interface includes sections labeled Cluster, Scheduler, and Tools on the left-hand menu. The main panel displays tables for Cluster Nodes Metrics and Scheduler Metrics, listing various application and system status categories. No data is currently displayed in the entries section. A caption to the right of the image reads, 'Internal Hadoop web interface accessible at private IP address (10.0.0.6).'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_5.png "The image shows a web browser window displaying the Hadoop web interface, specifically the Cluster Metrics page. In the address bar at the top, the URL is highlighted and reads '10.0.0.6:8088/cluster,' indicating access via a private IP address. The interface includes sections labeled Cluster, Scheduler, and Tools on the left-hand menu. The main panel displays tables for Cluster Nodes Metrics and Scheduler Metrics, listing various application and system status categories. No data is currently displayed in the entries section. A caption to the right of the image reads, 'Internal Hadoop web interface accessible at private IP address (10.0.0.6).'") The service wasn't publicly accessible. But once the browser rebounded the hostname to its internal IP, the attacker could reach the page from the malicious domain. ![The image shows a web browser window displaying the Hadoop web interface's Cluster Metrics page. The browser’s address bar at the top highlights a URL that reads '3681473179.rebinder.dns-rebinding-attackDOTcom:8081,' indicating the interface is being accessed through a rebound malicious domain. The page layout includes a left-hand navigation menu labeled Cluster with items such as About, Nodes, Node Labels, and Applications. The main panel displays empty tables for Cluster Nodes Metrics and Scheduler Metrics. A caption to the left of the image states, 'Hadoop interface accessed through a rebound malicious domain.'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_6.png "The image shows a web browser window displaying the Hadoop web interface's Cluster Metrics page. The browser’s address bar at the top highlights a URL that reads '3681473179.rebinder.dns-rebinding-attackDOTcom:8081,' indicating the interface is being accessed through a rebound malicious domain. The page layout includes a left-hand navigation menu labeled Cluster with items such as About, Nodes, Node Labels, and Applications. The main panel displays empty tables for Cluster Nodes Metrics and Scheduler Metrics. A caption to the left of the image states, 'Hadoop interface accessed through a rebound malicious domain.'") From there, they could view cluster status or even kill jobs on the management page. That's a serious problem---especially in enterprise environments where admin portals control critical workflows. Without strong internal [segmentation](https://www.paloaltonetworks.com/cyberpedia/what-is-network-segmentation) and DNS protections, these interfaces become easy targets. ### Bypassing CSRF protections DNS rebinding can also be used to bypass [cross-site request forgery (CSRF)](https://www.paloaltonetworks.com/cyberpedia/csrf-cross-site-request-forgery) defenses. Normally, CSRF protections rely on the same-origin policy to block attackers from reading tokens embedded in pages. But rebinding removes that safeguard. ![The image shows a browser window with developer tools open, displaying the Headers and Console tabs. A PUT request is shown under the General section with a Request URL that includes a domain generated through DNS rebinding: 'http://s-54.183.63.248-0.0.0.0-332af31665-fs-e.dynamic.dns-rebinding-attackDOTcom:8081/web\_console/req1\_sessions/4dadc281502eb31e166f70935f99fbf.' The status code is 200 OK, and the request method is PUT. In the Console panel at the bottom, the session ID '4dadc281502eb31e166f70935f99fbf' is echoed again as part of a script that outputs 'Hello from rebinding test.' A caption to the right of the browser window states, 'Target internal web application rendered on attacker’s browser.'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_7.png "The image shows a browser window with developer tools open, displaying the Headers and Console tabs. A PUT request is shown under the General section with a Request URL that includes a domain generated through DNS rebinding: 'http://s-54.183.63.248-0.0.0.0-332af31665-fs-e.dynamic.dns-rebinding-attackDOTcom:8081/web_console/req1_sessions/4dadc281502eb31e166f70935f99fbf.' The status code is 200 OK, and the request method is PUT. In the Console panel at the bottom, the session ID '4dadc281502eb31e166f70935f99fbf' is echoed again as part of a script that outputs 'Hello from rebinding test.' A caption to the right of the browser window states, 'Target internal web application rendered on attacker’s browser.'") In one Unit 42 test, a Rails application used session-specific tokens to authorize commands. The attacker used DNS rebinding to fetch the main page, extract the token, and then send a valid request to a vulnerable API. That request executed a command on the server. The test showed how even token-based protections can be bypassed if origin checks are undermined. ## What are the potential consequences of DNS rebinding? ![The image presents a two-column visual titled 'Potential consequences of DNS rebinding.' On the left, a heading appears in bold above a vertical list of four square icons representing different outcomes: 'Unauthorized access to internal systems,' 'Data exfiltration,' 'Service manipulation or abuse,' and 'Bypassing CSRF protection.' Each icon is orange with a corresponding white line drawing. On the right, four additional consequences are listed in a matching style: 'Compromise of IoT \& smart devices,' 'Network reconnaissance,' 'Compliance violations \& regulatory risk,' and 'Reputational harm.' Each item is paired with a unique icon symbolizing the type of impact.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_8.png "The image presents a two-column visual titled 'Potential consequences of DNS rebinding.' On the left, a heading appears in bold above a vertical list of four square icons representing different outcomes: 'Unauthorized access to internal systems,' 'Data exfiltration,' 'Service manipulation or abuse,' and 'Bypassing CSRF protection.' Each icon is orange with a corresponding white line drawing. On the right, four additional consequences are listed in a matching style: 'Compromise of IoT & smart devices,' 'Network reconnaissance,' 'Compliance violations & regulatory risk,' and 'Reputational harm.' Each item is paired with a unique icon symbolizing the type of impact.") DNS rebinding opens the door to a range of security issues that affect both individuals and organizations. Here's a breakdown of the most common and impactful outcomes: * **Unauthorized access to internal systems** Attackers can use DNS rebinding to reach devices and services inside a private network. These might include routers, development consoles, or APIs that are normally inaccessible from the internet. Once connected, they can interact with those resources without triggering standard security protections. * **Data exfiltration** By gaining access to internal systems, attackers can extract [sensitive information](https://www.paloaltonetworks.com/cyberpedia/sensitive-data). That could include credentials, configuration data, or customer records stored in backend applications. In many cases, this happens silently through the victim's own browser. * **Service manipulation or abuse** Some internal applications allow configuration changes or administrative actions. DNS rebinding can let attackers reach those interfaces and issue commands. This could involve disabling security settings, restarting systems, or interrupting services. ***Note:*** *Some internal web apps expose functionality via undocumented or legacy endpoints, which are often overlooked in standard vulnerability scans but may still be accessible via DNS rebinding.* * **Bypassing CSRF protection** DNS rebinding can undermine web application defenses against cross-site request forgery. Normally, these protections rely on the same-origin policy to prevent attackers from reading tokens. But if the attacker's domain is rebound to a private system, those restrictions no longer apply. ***Note:*** *Because rebinding removes the origin mismatch, attackers can capture dynamic tokens from initial page loads and reuse them in subsequent forged requests---essentially chaining session-dependent actions within a trusted context.* * **Compromise of IoT and smart devices** DNS rebinding is especially effective against smart devices that expose local web services. These often include limited authentication. Once rebound, attackers can control features, extract sensor data, or use the device for further scanning. * **Network reconnaissance** Attackers can use the victim's browser to probe internal networks. Timing-based techniques or WebRTC requests can reveal available services and open ports. That information helps attackers map the environment for later stages of compromise. ***Note:*** *DNS rebinding-based reconnaissance is difficult to detect in real time because it piggybacks on legitimate browser activity, often leaving no obvious traces in conventional intrusion detection systems.* * **Compliance violations and regulatory risk** If DNS rebinding leads to a breach of personal or regulated data, organizations may face legal consequences. This includes fines, audits, or sanctions under laws like [GDPR](https://www.paloaltonetworks.com/cyberpedia/gdpr-compliance) or [CCPA.](https://www.paloaltonetworks.com/cyberpedia/ccpa) Even unintentional exposure can trigger regulatory action. ***Note:*** *Even when no data is exfiltrated, the mere exposure of internal systems via DNS rebinding may be considered a reportable security incident under some regulatory frameworks, depending on jurisdiction and industry.* * **Reputational harm** Security incidents involving DNS rebinding can erode stakeholder trust. Customers may lose confidence in the organization's ability to protect data. Rebuilding that trust can take time and require significant public communication efforts. ## How to protect against DNS rebinding attacks ![The image shows a circular infographic titled 'How to protect against DNS rebinding attacks.' At the center is a gray shield icon surrounded by three labeled sections branching out: Detection in orange, Mitigation in purple, and Prevention in blue. The Detection section lists three steps: 'Check for private IPs in DNS responses,' 'Monitor browser behavior,' and 'Scan DNS and network logs.' The Mitigation section includes: 'Enable DNS pinning in browsers,' 'Filter DNS responses with private IPs,' 'Use HTTPS for internal services,' and 'Require authentication on internal services.' The Prevention section outlines: 'Use DNS services with rebinding protections,' 'Restrict JavaScript execution,' 'Segment internal networks,' 'Enforce host header validation on servers,' and 'Apply CORS \& content security policies.'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/DNS-rebinding-2025_9.png "The image shows a circular infographic titled 'How to protect against DNS rebinding attacks.' At the center is a gray shield icon surrounded by three labeled sections branching out: Detection in orange, Mitigation in purple, and Prevention in blue. The Detection section lists three steps: 'Check for private IPs in DNS responses,' 'Monitor browser behavior,' and 'Scan DNS and network logs.' The Mitigation section includes: 'Enable DNS pinning in browsers,' 'Filter DNS responses with private IPs,' 'Use HTTPS for internal services,' and 'Require authentication on internal services.' The Prevention section outlines: 'Use DNS services with rebinding protections,' 'Restrict JavaScript execution,' 'Segment internal networks,' 'Enforce host header validation on servers,' and 'Apply CORS & content security policies.'") While DNS rebinding itself is a technique, its implications are broad. It can be difficult to detect and even harder to prevent. So the response needs to be layered. Detect early, block suspicious behavior, and configure systems to reject unauthorized access---regardless of how the request got through. Here's how to approach the issue from a detection, mitigation, and prevention standpoint. ### Detection * **Check for private IPs in DNS responses** Use DNS lookup tools like dig to inspect whether a domain resolves to both public and private IP addresses. If the response alternates between external and internal IPs, it could indicate DNS rebinding. * **Monitor browser behavior** Look for signs like repeated DNS queries to the same domain or unexpected requests to internal IP ranges. JavaScript errors related to cross-origin restrictions can also point to DNS rebinding in progress. * **Scan DNS and network logs** Examine DNS logs and [firewall](https://www.paloaltonetworks.com/cyberpedia/what-is-a-firewall) activity for patterns such as frequent A record changes from a single domain. Tools like Zeek or Wireshark can help identify external sites attempting to reach private IPs through a victim browser. ***Tip:*** *Look for DNS queries that alternate between public and private IPs from the same domain within a short time window---especially when the public IP appears only briefly before switching. These short-lived records are often overlooked in coarse-grained log reviews.* ![Icon of an assessment](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/icon-unit-42-assessment.svg) ## Gain visibility and identify potential compromise in your environment. Learn about the Unit 42 Compromise Assessment. [Learn more](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment) ### Mitigation * **Enable DNS pinning in browsers** Modern browsers may implement DNS pinning, which caches DNS results for a set time regardless of the TTL. This can block basic time-based rebinding attempts by reusing the original IP. * **Filter DNS responses with private IPs** Configure DNS resolvers to block responses that return private, loopback, or non-routable IPs. This can reduce exposure to attacks that try to rebind hostnames to internal systems. ***Tip:*** *Also monitor for CNAME chains that ultimately resolve to private IPs. Attackers may use this to bypass direct A-record filtering by rebinding to internal systems via an intermediate alias.* * **Use HTTPS for internal services** HTTPS helps validate server identities during connection setup. Since rebinding changes the domain but not the certificate, browsers will reject mismatched SSL handshakes---making rebinding less effective. * **Require authentication on internal services** Strong credentials add another barrier. If attackers reach a service via DNS rebinding, authentication can stop them from interacting with it. ![Icon of a network and intruder](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/icon-intruder-network.svg) ## See your attack surface through the eyes of an adversary. Learn about the Unit 42 Attack Surface Assessment. [Learn more](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment) ### Prevention * **Use DNS services with rebinding protections** Some DNS solutions automatically block responses that resolve external hostnames to internal IP addresses. Choose providers or local resolvers that include this protection. ***Tip:*** *Choose DNS services that maintain contextual [threat intelligence](https://www.paloaltonetworks.com/cyberpedia/what-is-cyberthreat-intelligence-cti)---such as historical rebinding behavior or associations with known [exploit kits](https://www.paloaltonetworks.com/cyberpedia/what-is-an-exploit-kit)---rather than relying solely on static IP blocklists.* * **Restrict JavaScript execution** Limit where and how scripts can run in the browser. This can reduce the ability of attacker-controlled websites to issue repeated DNS queries or execute rebinding payloads. * **Enforce host header validation on servers** Configure internal web servers to reject requests with unexpected or unknown Host headers. This ensures that even if rebinding is successful, the server won't respond to requests sent through falsified domains. * **Apply CORS and content security policies** Use strict cross-origin resource sharing (CORS) rules and content security policies on internal applications. These browser-level protections make it harder for scripts to interact with resources that aren't explicitly allowed. * **Segment internal networks** Limit which devices can talk to each other. Even if DNS rebinding grants access to a particular resource, segmentation can prevent lateral movement to other sensitive areas. ![Icon networks locations labeled DNS](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-rebinding/icon-dns.svg) ## Stop new DNS-layer attacks today. Get a 90-day Advanced DNS Security free trial. [Learn more](https://start.paloaltonetworks.com/dns-security-free-trial.html) ## DNS rebinding FAQs #### What does DNS rebind do? DNS rebinding tricks a browser into treating an external domain as part of the internal network. It bypasses the same-origin policy by switching a domain's IP from a public address to a private one, allowing malicious scripts to access internal systems through the user's browser. #### How do you mitigate DNS rebinding? Mitigation includes enabling DNS pinning, filtering private IP responses at the resolver, enforcing HTTPS and authentication for internal services, and rejecting HTTP requests with unrecognized Host headers. These measures block or limit the attacker's ability to rebind and interact with internal resources. Related content [White paper: Stop Attackers from Using DNS Against You See how to regain control of your DNS traffic.](https://www.paloaltonetworks.com/resources/whitepapers/stop-attackers-from-using-dns-against-you?ts=markdown) [Blog: Strengthening Your DNS Protection with Advanced DNS Security Find out how to squash the threat of DNS hijacking with real-time AI-powered analysis of the DNS response.](https://www.paloaltonetworks.com/blog/network-security/precision-ai-advanced-dns/) [LIVEcommunity blog: PANW Advanced DNS Security Launches New Detection: DNS Traffic P... Learn what DNS traffic profiling is and why it matters.](https://live.paloaltonetworks.com/t5/community-blogs/palo-alto-networks-advanced-dns-security-launches-new-detection/ba-p/596388) [Threat research: DNS Rebinding Attack: How Malicious Websites Exploit Private Networ... Dig deeper into DNS rebinding attacks.](https://unit42.paloaltonetworks.com/dns-rebinding/) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20DNS%20Rebinding%3F%20%5BExamples%20%2B%20Protection%20Tips%5D&body=DNS%20rebinding%20is%20an%20attack%20that%20tricks%20a%20browser%20into%20treating%20an%20external%20domain%20as%20if%20it%20belongs%20to%20the%20internal%20network.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/what-is-dns-rebinding) Back to Top {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language