DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain.
The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within browsers. However, the same attacks can also be performed against web proxies, where browser DNS pinning does not apply. Corporate web users accessing the Internet via a proxy are at risk from such attacks.
There are various ways in which DNS-based attacks against web proxies could potentially be prevented through changes to proxy and browser software. Each of the fixes considered suffers from important shortcomings. In the meantime, there are other defences that organisations and individuals can employ to prevent attacks against them.
Author: Dafydd Stuttard, Principal Security Consultant
