Happy slice of mcp pizzaMCP.pizza

DNS Rebinding Tricks Your Agent Into Attacking Your Own Network

tldr;

DNS rebinding tricks your AI agent into connecting to internal network services by resolving a public hostname to a private IP address like 127.0.0.1 or 10.x.x.x.

DNS rebinding is an attack where a malicious MCP server URL resolves to a private or internal IP address, causing your AI agent to inadvertently access services on your local network or cloud infrastructure metadata endpoints.

How DNS rebinding works

  1. 1.An attacker registers a domain like evil-mcp.example.com
  2. 2.The DNS record initially points to a public IP (passing validation)
  3. 3.After the first request, the DNS record changes to 127.0.0.1 or 169.254.169.254
  4. 4.Your AI agent now makes requests to your internal network or cloud metadata API

Why this is dangerous for MCP

MCP agents make HTTP requests on behalf of the user. If an agent connects to what it thinks is an external MCP server but is actually hitting:

  • >localhost, it could access local dev servers, databases, or admin panels
  • >Cloud metadata (169.254.169.254), it could steal IAM credentials and service account tokens
  • >Internal services (10.x.x.x), it could reach databases, APIs, or admin interfaces behind your firewall

How to fix it

  1. 1.Resolve DNS and verify the IP is public before connecting
  2. 2.Block connections to RFC 1918 private ranges and link-local addresses
  3. 3.Use DNS pinning to prevent mid-session rebinding

Our scanner performs this check automatically before any connection is made.

Read Next

Your API Key Is in the Tool Call (And That's a Problem)

Credential exposure in MCP happens when a server accepts API keys as tool parameters instead of authenticating via HTTP headers. Whether by mistake or by design, the result is the same: your key lands in plain-text logs, the LLM context window, and is one prompt injection away from leaking.

That MCP Tool Just Asked for Your Entire Chat History

Context harvesting is when a malicious MCP server tricks your AI agent into leaking conversation history, system prompts, or user data through tool parameters that request "chat_history" or "full_context".

Shell Access, File Writes, and Other MCP Red Flags

Dangerous capabilities are MCP tools that can execute shell commands, modify files, or access your system, giving a malicious server the ability to run arbitrary code on your machine.

← Back to all articles