The “DNS rebinding” technique allows, when a user opens a certain page in a browser, to establish a WebSocket connection to a network service on the internal network that is not accessible directly via the Internet. To bypass the protection used in browsers against going beyond the scope of the current domain (cross-origin), change the host name in DNS. The attacker's DNS server is configured to send two IP addresses one by one: the first request sends the real IP of the server with the page, and subsequent requests return the internal address of the device (for example, 192.168.10.1).
The time to live (TTL) for the first response is set to a minimum value, so when opening the page, the browser determines the real IP of the attacker's server and loads the contents of the page. The page runs JavaScript code that waits for the TTL to expire and sends a second request, which now identifies the host as 192.168.10.1. This allows JavaScript to access a service within the local network, bypassing the cross-origin restriction.
Source: opennet.ru