Sunday, December 17, 2006

dynamic pharming

I just learned what DNS pinning is and how it can be defeated when a domain is associated with multiple DNS A records.

The basic idea of DNS pinning is that when your browser loads something from x.com, it caches the DNS A record for x.com (the IP) and then keeps using that local copy instead of sending a DNS request each time.

This means that all requests to x.com for a browser session will be sent to the same IP address.  Unfortunately, there's an attack: if the IP that was "pinned" stops responding, the browser throws away the pinning and issues another DNS request.

If the two IPs are different, the browser will still see pages from both IPs as being in the same domain, and thus in the same origin -- scripts from one will have full access to content from the other.

This means that an attacker who controls the DNS records for x.com can put his IP first and the real x.com's IP second in the list of A records.  Then, at will, he can instruct his server to quit responding to requests.  This allows him to force clients to go from using his version of x.com to the real one.  The result: scripts served by his version of x.com can access content on the real x.com.  Browsers' Same Origin policies do nothing to fix this (in my opinion, they aren't supposed to).

What is this if not motivation to make DNS much more secure, since it is considered an authority!

Link to more info

3 comments:

Anonymous said...

won't a person's site always be vulnerable to the person who has access to their DNS? that seems like saying that a person's house is not secure to the contractor who built it because he installed the doors. maybe i'm missing something here. perhaps i should just do another bong hit and watch more comedy central

word to the motha

StubbyElvis

Anonymous said...

"The basic idea of DNS pinning is that when your browser loads something from x.com, it caches the DNS A record for x.com (the IP) and then keeps using that local copy instead of sending a DNS request each time."

How long does the DNS remained cached?

Sid Stamm said...

The DNS is pinned until either the browser session ends or an attempt to load data from the pinned IP times out.

So a pinned DNS record will expire when you close your browser. It will also expire if the host goes down.