An attacker serves content whose IP address is resolved by a DNS server
						that it controls and after initial contact by a web browser or similar
						client it changes the IP address to which its name resolves to an address
						within the target browser's organization that is not publicly accessible,
						thus allowing the web browser to examine this internal address on its
						behalf. Web browsers enforce security zones based on DNS names in order to
						prevent cross-zone disclosure of information. In a DNS binding attack an
						attacker publishes content on their own server with their own name and DNS
						server. The first time the target accesses the attacker's content, the
						attacker's name must be resolved to an IP address. The attacker's DNS server
						performs this resolution, providing a short Time-To-Live (TTL) in order to
						prevent the target from caching the value. When the target makes a
						subsequent request to the attacker's content the attacker's DNS server must
						again be queried, but this time the DNS server returns an address internal
						to the target's organization that would not be accessible from an outside
						source. Because the same name resolves to both these IP addresses, browsers
						will place both IP addresses in the same security zone and allow information
						to flow between the addresses. The attacker can then use scripts in the
						content the target retrieved from the attacker in the original message to
						exfiltrate data from the named internal addresses. This allows attackers to
						discover sensitive information about the internal network of an enterprise.
						If there is a trust relationship between the computer with the targeted
						browser and the internal machine the attacker identifies, additional attacks
						are possible. This attack differs from pharming attacks in that the attacker
						is the legitimate owner of the malicious DNS server and so does not need to
						compromise behavior of external DNS services.