[arin-ppml] ARIN-prop-167 Removal of Renumbering Requirement for Small Multihomers

William Herrin bill at herrin.us
Thu May 3 09:09:56 EDT 2012 

On 5/3/12, Jimmy Hess <mysidia at gmail.com> wrote:
> DNS pinning beyond a normal DNS TTL period would be an anomaly,  and
> is likely a unique issue to be addressed by the end user   (by
> rebooting their equipment).

Due respect Jimmy, read up on DNS pinning. The whole point is to hold
the first IP address beyond the the TTL. It's the solution to a
particularly nasty javascript vulnerability.

Roughly speaking, Javascript limits outbound connections to the server
from which the javascript came from. If they didn't, going to a web
page with javascript could result in an address scan of the interior
of the firewall where the web browser sits.

It didn't take too long for someone to figure out that by altering the
IP address associated with a DNS name back and forth between the
external (real) server address and various addresses suspected to be
inside the target's firewall, an attacker could sidestep Javascript's
security.

So along comes DNS pinning. Once javascript is running on a page, that
IP address is locked in. Some browsers are smart enough to allow a new
lookup once the user takes an action which would cause the javascript
program to terminate. Others lock it in as long as anything from that
server is up in any window. Still others made the simplest choice: the
address is locked in so long as the browser is running.

There's still an open hole when the target is behind a configured web
proxy but that's a low enough probability event to discourage the
general attack vector. Also it only really applies to configured
proxies, not the more common transparent proxies.


> Browser windows don't get left open for 3 months.    Even if the DNS
> pinning _DID_ happen to be broken in some version of a major browser
> in use by users;    that can be addressed by the amount of time  that
> the renumbering is performed over.

Depends on the user. I have plenty of browser windows on my desktop
that have been open for more than a month. They generally stay open
until either the browser becomes choppy enough that I decide to
restart it or until the OS becomes unstable enough that I give up on
suspend/restore.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the ARIN-PPML mailing list