Notes on DNS Pinning
Christian Matthies has an excellent writeup on DNS Pinning (with diagrams!) If you're tuned into web app security you've probably noticed a lot of discussion around Anti DNS Pinning a.k.a. DNS Rebinding a.k.a. Quick-Swap DNS lately. You're likely to see a lot more such discussion after this year's Blackhat/Defcon given that there are a number of related talks on the agenda. If you're there, don't miss out on Dan Kaminsky's talk in particular -- it should include a very slick demo!
There are a couple of details I'd like to add with respect how these issues relate to Microsoft products:
1) There's been an assumption that IE actively implements DNS Pinning, as described in the 2002 XWT Foundation Security Advisory. IE has never implemented a specific DNS Pinning feature. It just happens that the steps necessary to make a working demonstration require some smart manipulation of IE's session management and caching behavior. The steps required also may vary between different versions of IE. So basically, any DNS Pinning type behavior observed in IE is incidental.
2) “Anti Anti Anti DNS Pinning” has been specifically addressed in the version of XMLHTTP that ships with Windows Vista and Windows Server 2003 SP2. If a web server implements Host header validation, that should be enough to guarantee the server won't be the target of anti-DNS Pinning via XMLHTTP. After implementing HOST headers for a web site you can validate that content requested without the appropriate Host header is not served. The linked article mentions IIS 5 but the instructions also apply to IIS 6. If there's a way for an Internet web page to send an HTTP request with an arbitrary Host header, I would say that's a bug in need of a fix.