Can you explain the DNS rebinding attack for local development?

[Nefcanto]

I use a centralized vite.config.js for a lot of projects. I also use local domains with fake SSL certificates to simulate the server. For example:

admin.x.local
client.y.local
customer.z.local

After upgrading to Vite 6.0.11 I saw this message:

Blocked request. This host ("admin.x.local") is not allowed.
To allow this host, add "admin.x.local" to server.allowedHosts in vite.config.js.

I changed the vite.config.js and set the server.allowHosts to true and it solved the problem.
I don't use localhost because it's too long. I use .local for our local development.
When I saw the docs I realized that it might cause the DNS rebinding attack. I read about it and it seemed to me that this attack only works if I have a private DNS somewhere on my network. However, I only use /etc/hosts file.

Can you please explain to me if setting server.allowedHosts = true for .local hosts can pose security problems or not?

[sapphi-red]

As long as you have the control of to what IP address the domain points for the domain name you use, it would be safe. So in your case,

• admin.x.local/client.y.local/customer.z.local are written in /etc/hosts and you have the control of it, so it's fine to include them in server.allowedHosts
• .local is a reserved TLD and will never be registered, so other person cannot point any *.local to an addresss, so it's fine to include .local in server.allowedHosts

The reason why .localhost is included by default and .local is not included by default even though .local is reserved, is just that .local is reserved for a different purpose.

[Nefcanto]

@sapphi-red thank you for your explanations. So what I understood is that some attacker controls the DNS records of a given domain (how, I have no idea) and when people enter example.com, instead of going to the intended server, they go to the malicious server. Is that DNS rebinding attack?

Also thanks for assuring us that we can put the .local in our config. Can you please tell me what purpose was behind it? Because .local is way easier and shorter than .localhost.

[sapphi-red]

what I understood is that some attacker controls the DNS records of a given domain (how, I have no idea) and when people enter example.com, instead of going to the intended server, they go to the malicious server. Is that DNS rebinding attack?

No, that's a DNS spoofing attack. An example would be an attacker has their own domain attacker.example and points that IP address to their IP. While you access that site via browser (as a top-level navigation or iframe or whatever), the attacker changes the pointing IP to 127.0.0.1 by updating the DNS record. After the IP has changed, the attacker calls fetch('/your-source-code.js'). This request will be allowed by browsers as the origin is same (even though you won't expect that to be allowed), and requires the server to disallow such requests.

Can you please tell me what purpose was behind it?

.local is for mDNS and zeroconf.
https://en.wikipedia.org/wiki/.local

[Nefcanto]

@sapphi-red, you mean while we're on the attacker's website they change their IP address to 127.0.0.1? So that future requests go through the lookback? That's somehow weird. Is that even possible at all?

I read about .local and it seems to me that we won't be using it ever. So I think we will stick to this for local development, though semantically it's wrong.

[sapphi-red]

you mean while we're on the attacker's website they change their IP address to 127.0.0.1?

Yes. It is possible.