Cenzic 232 Patent
Paid Advertising
web application security lab

DNS Rebinding in Firefox

Either I’m just blind or I never actually got into the nitty gritty of testing DNS pinning in Mozilla’s Firefox, but I never realized until today that Firefox doesn’t actually pin DNS at all. I guess you learn something new every day. For a project un-related to security, a customer needed to fail over to another domain, and they wanted to know how quickly they could do that without necessarily taking their primary site offline in the process. So we started doing some tests. Internet Explorer pins DNS for 30 minutes it looks like. Still short in my mind, but according to the documentation I could find that’s because 24 hours or more broke a lot of things (I’m imagining things like Dyndns and so on.)

All the documentation I could find online was erroneous and said that Firefox rebound DNS in one minute. In reality Firefox rebound DNS as fast as the DNS time to live expired. We got it to switch DNS within one second. Meaning there was no need for that trick where you close down the port or firewall off the client IP address or anything similar. Nope, all you need to do is turn down the TTL and you’ve got yourself a DNS rebinding scenario. Seems really surprising to me and makes the whole attack way easier on Mozilla since now all you need is access to DNS and a web server to make it work (no access to anything else required). I don’t know why I thought DNS pinning existed in Mozilla’s browser. Has something changed? Can someone verify?

16 Responses to “DNS Rebinding in Firefox”

  1. Collin Jackson Says:

    Last time I checked, all browsers could be made to unpin within 4 seconds, and most within 1 second:

    http://crypto.stanford.edu/dns/

    Of course it’s harder to get some browsers to unpin than others, but that’s not really going to deter a determined attacker.

    If you want to use a firewall to protect an HTTP server from the outside world, the only working solutions I know of are to either use a circumvention resistant DNS resolver, or enable HTTP Host header checking on the server.

  2. rvdh Says:

    RFC 2616 says the client must observe the TTL reported by DNS. If Mozilla Firefox takes 1 second like you say, I don’t see a problem

  3. RSnake Says:

    Yeah, I’m not saying they’re violating the RFC - but it sure makes exploiting users with it much easier.

  4. RSnake Says:

    @Collin - I meant without a rebinding trick - simply by giving a different name in the DNS and setting the TTL to 1 second. I’m NOT talking about DNS rebinding attacks that require shutting down the connection.

  5. Wladimir Palant Says:

    No, I cannot confirm this from the source code - the DNS cache is being controlled by network.dnsCacheEntries and network.dnsCacheExpiration preferences, default values being 400 and 3 (minutes) respectively. From what I can tell, Firefox doesn’t respect TTL at all. So whatever you see there probably isn’t intended and you should file a bug.

  6. Rene A. Says:

    Just check Firefox 3.5.4 config (about:config) and can’t find network.dnsCache* entries?

    Are the default values you’re reporting active (from the source code)? Why are those properties not accessable?

  7. AbiusX Says:

    This sounded interesting to me, And I’m still waiting to know the accurate reason/answer to that! Any one?

  8. sirdarckcat Says:

    actually… it looks like it was pinned before (someone reproduced it on october 23 of 2009):
    https://bugzilla.mozilla.org/show_bug.cgi?id=524084

    =/

  9. Hannibal Says:

    Your site look MUCH MORE BETTER NOW!! :) I mean for the book! Thanks for changing i it. I will buy it now. :) Cheers Snake!

  10. RSnake Says:

    @Hannibal - hah! Thank you! I’m still toying with it a bit, but I agree. It’s much easier on the eyes.

  11. Gourmet Says:

    I don”t understand why Firefox should pin or unpin.

    It should be the responsability of the DNS client (the resolver) to pin or unpin not that of a particular application that should rely on the resolver and not resolve and cache for itself!

    If developers respected the standards, the world would be better for users!

    db

  12. RSnake Says:

    @Gourmet - If the client were in control it would rebind DNS as soon as the TTL expires - but the TTL is up to the attacker. If the attacker specifies one second and then can rebind ha.ckers.org to the address of your internal router or your firewall, or your internal wiki and read and write information to it as if it were on the same domain - that seems problematic. The problem with the standard in this case, is that it doesn’t take into account rebinding as an attack, since the same origin policy applies to domains, not to IPs that the domain resolves to (unless you build the concept of pinning).

  13. Mark Goodwin Says:

    I wrote about this back when I used to blog… http://directwebremoting.org/blog/mark/2007/07/19/does_firefox_implement_dns_pinning.html - point is, I don’ think anything has changed.

  14. RSnake Says:

    @sirdarckcat - What happened to 10 F*ing days? 2002?! Seven years and it’s still vulnerable?! Eek!

    @Mark - interesting. Maybe I just always assumed it was true and just never tested it myself in Firefox. Alas!

  15. AbiusX Says:

    So u confirm its vulnerable yet? :D wow ! I’m gonna have a lot of zombies now :))

  16. MrBlogs Says:

    A potential solution would be to provide something similar to what happens when you visit a page that has an invalid SSL certificate. Firefox could easily realise if the IP requested has changed from an external to internal (as internal address will either be 127., 192.168, 10., or 172.16. etc) and notify the user that this is taking place maybe with a message “DNS Rebinding in progress… Do you wish to continue”.