Skip to content


Repository files navigation

What is this

This is a small set of zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities. It provides easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents.

The tool does not employ any novel techniques and is not unique in any sense. All features are trivial to implement and can be easily found in other similar tools.

The service is currently run at the domain (and its' subdomains).

Source code & self-host

The source is available on github. However, the code is shitty as hell.

If you want to self-host it, follow this steps:

  1. Get a domain name of your choice and put NS records so that your server serves that domain.
  2. Perform go get
  3. Download and modify
  4. Run like this:



If you want to get a record that resolves to an IP, use the following subdomain:


For example, domain resolves to

$ host -t A has address

You can use dashes instead of dots as long as the IP is valid:

$ host -t A has address

You can place some unique prefix/suffix before make or after rr (dots are allowed):

$ host -t A has address

Multiple records can be separated by -and-:

$ host -t A has address has address

DNS rebinding

In the context of SSRF bugs, DNS rebinding is a well-known technique targeting TOCTOU type of vulnerabilities during IP blacklisting or whitelisting. It is performed using a domain that resolves in a legit IP during the first request (check) and to the forbidden one during the second request (use).

To generate a domain name with this behavior, use the following syntax:


For example, the domain name will first resolve to and then to

$ host -t A has address
$ host -t A has address

The logic behind the feature is as follows:

  • if there were no requests to this domain during last 5 seconds, it's resolved to the first IP;
  • otherwise, it's resolved to the second one.

You can use prefixes before make- and suffix after -rr in order to uniqualize the domain name (e.g. The timeouts are separate for each domain name.

If you need to change the default 5 seconds timeout, use the following syntax:


where <interval> is something like 10s (10 seconds) or 5m (5 minutes).

If you need that "whitelisted" IP (which is IP1 in our examples) be returned multiple times before rebinding, use the following syntax:


For example, will resolve in first two times, and then will resolve in for next 30 seconds.


To make up a domain that resolves only to an IPv6 address, use the following syntax:


Colons must be replaced with letter c. As always, random prefix and suffix can be used:

$ host -t AAAA has IPv6 address 1:2::3


By default, unparsable addresses are considered as CNAMEs:

$ host is an alias for

To force a domain to be a CNAME, add cname- prefix:

$ host -t A is an alias for

Other record types

If the thing between make- and -rr is a parsable record, it is returned for any type of request.

$ host -t TXT descriptive text "blahblah"

Hex encoding

You can encode the contents of a record in hex and add a hex- prefix after make-:

$ host -t A has address

Note on DNS TTLs

Some servers don't want to handle zero TTL replies. Default TTL is 1 for "service" domains and 0 for others.

If you want to change TTL, add set-<number>-ttl anywhere in the domain name.

Log viewing

The log of all DNS requests is public. There are the following endpoints:

Contacts & FAQ

If you have any questions or suggestions in mind, feel free to contact me via @neexemil on Telegram or @emil_lerner on Twitter.

Is this tool free for any type of usage?


But what if I use it during some illegal adventure or DDoS it with a huge amount of traffic?

These are awful ideas which I don't like.

I've read the code and have concluded that you're a noob. It is the shittiest program ever.



No description, website, or topics provided.






No releases published


No packages published