Cenzic 232 Patent
Paid Advertising
web application security lab

Anti DNS Pinning Without Using a Firewall

A few days ago Kanatoko found a vulnerability in the DNS pinning used withing modern web browsers that can be exploited by simply shutting down an open port. This is far easier than the previous technique of closing the connection using a firewall. Very tricky. Kanatoko also pointed to another issue disclosed on bugzilla as well regarding another anti DNS pinning technique.

To paraphrase the user connects to my machine which has an IP address of 123.123.123.123. I use a Dynamic DNS server that tells the world that mydomain.dyndns.com is located at 123.123.123.123. When my DHCP lease expires I move to another IP, dyndns.com points to it and the rest of the world can now find me. The one poor sap that was on my page already and has DNS pinned my IP address will now submit their content to whomever takes over my IP address next, assuming they do so before the user is finished submitting the form (otherwise their DNS cache will flush and they’ll move on).

This is a tricky way for DynDNS users and other dynamic DNS users to compromise information from other servers. Of course it relies on the person who had your DNS entry before you a) having a webserver with forms and b) having traffic you’d want to compromise (since this is blind there’s no way to know ahead of time if you are interested in that traffic). Normally this wouldn’t be a problem for most websites because they don’t use this sort of DNS hacking, but it does point to some major flaws in how DNS is implemented and not necessarily just another browser flaw, as Kanatoko pointed out. Great find!

2 Responses to “Anti DNS Pinning Without Using a Firewall”

  1. yawnmoth Says:

    The sla.ckers.org link links to a shampoo.antville.org URL that states, among other things, the following:

    “J. Grossman, RSnake, SPI Dynamics, pdp and others have demonstrated lately that it is possible for a malicious JavaScript
    a) to obtain the (internal) IP address of the hosting web browser,”

    I don’t recall reading about this. You can use *java* in javascript in gecko-based browsers (via java.*) to get the internal IP address, but, as far as I know, there’s no pure javascript solution, is there?

    I mean, most of the attacks on lan’s that have been presented, thus far, on this blog, have relied on either brute forcing to find good ip addresses or simple guessing. Or am I mistaken?

  2. Martin J. Says:

    That is true. To get the internal you still need java. Right now, there is no public method that only relies on JS.