What is DNS pinning?

DNS rebinding vulnerabilities were first discovered in 1996 as an attack against Java. The classic vulnerability was fixed by the Java Virtual Machine preventing host names from changing from one IP address to another -- a defense that came to be known as DNS pinning. Since 1996, pinning has been steadily weakened in Web browsers because it reduces robustness by preventing one server from failing over to another server. In fact, pinning was removed from Firefox in version 1.5. An attacker can cause modern browsers to release their pins in about one second.

Why isn't it enough to protect us?

Pinning is no longer a sufficient defense against DNS rebinding because modern browsers contain many different technologies that permit network access, such as Flash and Java. These technologies have separate pin databases, but are permitting to communicate within the browser. This allows the attacker to pin one technology, say JavaScript, to his server and simultaneously pin another technology, say Java, to the target server. The attacker can then use LiveConnect (a feature that bridges Java and JavaScript) to communicate with the target server -- effectively rendering the DNS pins useless.

Can the OS do something to defend the browser?

Organizations can protect themselves against firewall circumvention by configuring their DNS resolvers not to bind external host names to internal IP addresses; for example, by deploying Google DNS Wall. This prevents the attacker from binding attacker.com to an internal machine, foiling any rebinding attack against internal machines.

Defending against IP hijacking is more difficult because there is no simple method of separating malicious host names from honest IP addresses. In the short term, plug-in vendors can patch their technologies to default to denying socket access to active content unless the socket's destination explicitly allows access from the content's origin. Flash already has a policy mechanism it could leverage to this end; but, unfortunately, applying this approach to Java would break some existing applications.

In the longer term, DNS rebinding vulnerabilities can be prevented using host name authorization -- a technique for embedding the set of authorized host names for an IP address in DNS. Web browsers and their plug-ins can consult this set and prevent the attacker from binding his or her host name to a target server. This defense requires browser vendors and server operators to cooperate in order to be successful.

How do current browsers use DNS?

This part gets very technical in the paper. Some browsers attempt to pin DNS entries, but virtually all Web browsers can be reliably forced to unpin in approximately one second (the one modern exception is Opera 9, which requires four seconds). The one browser that seems relatively resistant to DNS rebinding is the browser inside the Nintendo Wii. However, in our experiments we found that some PlayStation 3 Web browsers were vulnerable.

Is there any browser that is not vulnerable?

In our testing, the most secure configuration we found was Safari running on a Mac without Flash and without a proxy. This configuration avoids the multi-pin attacks because Safari does not support LiveConnect and the configuration does not include Flash. Additionally, Safari on Mac seems to correctly pin for several minutes (unlike other browsers which can be made to unpin in one second). We did not test Konqueror in our lab. In our experiment, we only observed five Konqueror impressions (out of 50,000 impressions) and did not attempt rebinding on any of them.