Over the last several days, Portswigger and I have been going back and forth around something he’s been working on - circumventing proxies using anti-DNS pinning. A lot of users sit behind proxy servers at work. The uses are varied but can be things like content caching or content filtering. The problem is that the client (which does a fairly good job, albeit not great) of preventing anti-DNS pinning attacks is not in control of the DNS in the case of a proxy - the proxy is.
Now you can take a huge leap and guess that the proxy is vulnerable to anti-DNS pinning attacks, and you’d be right. The bad news is, the people who are most vulnerable to this are corporations trying to protect their Intranet! While the host header is still not spoofable, the rest falls into place nicely because proxies often pay attention to the TTL packets instead of restricting it to a user/session (because what does that mean to a proxy anyway)? Portswigger wrote up a nice paper on the topic, and even talked about a few proxies that are vulnerable (the most notable is squid).
He also mentions a few mitigation techniques in the proxy server, or how proxies could even help this issue in some ways (not fix, but help) by caching the TTL for longer than what the DNS server claims it should be. That could cause other problems, of course, but it’s an interesting theory. I have a feeling there is more to come here.