I just learned what DNS pinning is and how it can be defeated when a domain is associated with multiple DNS A records.
The basic idea of DNS pinning is that when your browser loads something from x.com, it caches the DNS A record for x.com (the IP) and then keeps using that local copy instead of sending a DNS request each time.
This means that all requests to x.com for a browser session will be sent to the same IP address. Unfortunately, there's an attack: if the IP that was "pinned" stops responding, the browser throws away the pinning and issues another DNS request.
If the two IPs are different, the browser will still see pages from both IPs as being in the same domain, and thus in the same origin -- scripts from one will have full access to content from the other.
This means that an attacker who controls the DNS records for x.com can put his IP first and the real x.com's IP second in the list of A records. Then, at will, he can instruct his server to quit responding to requests. This allows him to force clients to go from using his version of x.com to the real one. The result: scripts served by his version of x.com can access content on the real x.com. Browsers' Same Origin policies do nothing to fix this (in my opinion, they aren't supposed to).
What is this if not motivation to make DNS much more secure, since it is considered an authority!
Link to more info
I installed some Mac OS X updates today, and after they finished I was asked to restart my computer... so being the faithful computer user I am, I did. When I brought FireFox back up after rebooting, an advertisement for Registry Cleaner popped up warning me that my registry needs to be cleaned. Now, I have FireFox set up to remember the sites I was visiting when it is closed, but I don't recall seeing this before rebooting... also, the two pages I was viewing did not come back.
