dns pinning: the grey area between web and network security

Christian Matthies has posted up an explanation of DNS Pinning attacks. While this article is really cool and informative, there are a couple of caveats.

First, this is a great article for people who already are familiar with DNS Pinning, since the author really throws out “Anti DNS Pinning” and “DNS Pinning” quite a lot, and it gets confusing which one he is actually talking about in each example. DNS Pinning is a behavior of a web browser to cache DNS requests until the window (or all windows of that browser) are closed. Any admin supporting DNS or web servers has experienced this behavior. “That should work…did you hit refresh? Oh wait, close all your browser first and retry. Yup that did it!” Christian then explains a way to get around DNS Pinning so an attacker can redirect users without their knowledge by leveraging browser behavior and changes to DNS entries.

Second, while several web security researchers would like to say this is a Big Deal, I consider this an exotic attack, yet. Christian mentions this can be used to attack internal servers, but that requires significant knowledge, and I don’t think most corporations will have to care. Still, there is always the potential for something like this to become a common attack method in the future.

The takeaways for this is to know what DNS Pinning means, what Anti DNS Pinning means, and that there is still a grey area firmly between network and web security when it comes to DNS manipulation.

2 thoughts on “dns pinning: the grey area between web and network security

  1. network security and web security are both application security problems in my mind. design things right and fix the code!
    and since when has anything in information security NOT been gray area?
    most web application security problems are today considered exotic. in one or two years everyone will be asking the questions, “How come my credit card got stolen and there is no virus on my computer or any evidence of a break in at all?”, “Why did my company get all of its source code published on BitTorrent when we have the most expensive firewalls and AV stuff in the world and scan/patch more than regularly?”
    the common future answer will likely be: “because you totally ignored web application security”
    also see: PCI DSS

  2. People ask those questions now. And yeah, it’s all grey area and no grey area; kinda depends on how you want to look at it, really.
    PCI DSS is only going to help the lowest networks. It’s sadly going to eventually be met with more of those questions. “I’m PCI compliant, how did someone get all those database tables!”

Comments are closed.