You are on the Cert-IST public site
DNS prefetching in web browsers

Date :December 07, 2010

Publication: Article

This month Apple released two new versions of Safari (5.0.3 and 4.1.3) fixing 27 vulnerabilities. One of these vulnerabilities (CVE-2010-3813) allows an attacker to force the browser to prefetch DNS requests, even if the DNS prefetching option has been disabled (see security advisory CERT-IST/AV-2010.545).

We thought useful to go into detail regarding the context of this vulnerability through an article dedicated to this DNS prefetching feature, in order to better understand it, and to identify its impact on the IT systems security.

Note: As a reminder, DNS (Domain Name System) is the protocol that allows a computer to obtain the IP address of a remote system (e.g. a web server) from its name. Each time you ask your web browser to connect to a web site (for example www.google.com), it issues a DNS request in order to obtain the IP address of the server. Thus, the DNS may be compared to a global directory service, in which each Internet name is associated to an IP address.

 

Prefetching principle

Generally, a prefetching functionality is a feature whose goal is to optimize the use of resources. It takes advantage of idle periods to load any information which might be used later, in order to use them immediately at this time. 

DNS prefetching

Three types of DNS prefetching may be used by web browsers:

  • When loading an HTML page, the browser first identifies the links pointing to all the resources needed to process this page (images, stylesheets …). Then it performs the DNS resolution of all these links in parallel so that the results are available at the earliest.
    The expected result is a faster page processing and loading.
  • After it has loaded an HTML page, the browser looks for all links embedded in the page. Then, it requests the DNS resolution of these links and it stores the results in cache. When the user clicks on a link included in the page, the DNS resolution is already made.
    The expected result is a faster browsing experience for the user.
  • The developer of the HTML page identifies the links which have a high probability of being clicked by users, and asks the browser, thanks to a specific tag applied on the links, to anticipate the DNS resolution of these links. This technique allows reducing the number of useless DNS requests.
    Certain browsers (Chrome, Firefox from version 3.5) handle a link type that implements this method. This type of link is defined as follows:
    <link rel="dns-prefetch" href="//example.org">.
    Note: This link definition type is not part of the HTML standard.

For information, the Chrome browser implements other types of DNS prefetching in such a way to give the user an impression of efficiency:

  • On startup, it remembers the DNS resolution of the ten first domains to which the user connected at the last startup of the browser. The clicks following each browser startups are consequently accelerated.
  • It automatically prefetches the DNS resolutions of the sites that are proposed by the auto-completion feature in the address and search bars.

The Safari, Chrome and Firefox web browsers implements the DNS prefetching feature. By default they use this technique for HTTP but not for HTTPS, but this configuration can be modified. Note that the Thunderbird 2.0 mail client also implements this feature.

 

Risks related to DNS prefetching

From a security point of view, the negative aspect of DNS prefetching is the large number of DNS queries it induces, which may give helpful information to an attacker for the development of potential attacks.
For instance, it is possible to imagine a malicious website that tracks users through links to specific domains within HTML pages, and by observing the DNS resolution requests made by the browser for these domains.

However, it is possible to get the same kind of information, more simply, by using specially crafted image tags or by embedding iframes into web pages.

For users having high security needs, it is possible to disable the DNS prefetching feature.

 

Link prefetching

The DNS prefetching concept can be extended to a prefetching of resources that are referenced by the various links embedded in a web page. In this case, these resources (HTML page, image ...) are cached in such a way to be used immediately when users request them.

This technique may appear user-friendly since it brings an almost immediate response to users’ requests, but it has many disadvantages:

  • It may cause high network bandwidth usage if a web page contains many references and links.
  • It substantially increases the costs of communication for users who pay for the amount of bandwidth they use.
  • It distorts web statistics because a page loaded in the background could be never seen by the user.
  • Certain links generate specific actions such as the disconnection from a web service. Prefetching such a link could cause a user to be disconnected from a service whereas he has not requested such an action.
  • Finally, prefetching a web page in the background could eventually cause a user system to be infected by a malware (drive-by download attack), if this prefetched page contained a malicious code. In this given situation, the web browser of the victim would be compromised in a completely invisible way, since the user has not clicked on a particular link when the infection occurs.

A draft of the HTML5 standard proposes to define a "prefetch" link type that could be used to ask the web browser to load and cache the resource pointed by the link. This would allow the browser to only prefetch the resources specified by the author of the web page, in order to avoid to unnecessarily load resource and in the same way prevent the browser from undesirably loading disconnection pages, advertisements, …

 

For more information: