I've been doing some research on DNS rebinding attacks and I can't understand how the actual rebinding happens. The most helpful resource was this video by Robert Hansen.
The one thing that I didn't quite understand: does the attacker have to own the DNS server for the attack to work? If so, does the target have to make requests to the attacker's server? Or it works with any DNS available and there's something in the browser internals that forces the rebinding?
The attacker has to have their own DNS server which will be the final hop in a DNS search for their domain name. This is what is compromised. This server has a very small TTL on the DNS record that it serves, and will serve the actual DNS record to the site the first time, and a malicious DNS record pointing to some hidden server the second time it is called (usually by the malicious java script being served on the site).