DNS cache poisoning or DNS spoofing is the injection of fake entries into the DNS cache to redirect users to malicious sites.
DNS spoofing is the result of vulnerabilities that allow attackers to send bogus DNS responses, which the Domain Name System (DNS) server then stores in its caches.
Typically, a compromised entry will redirect the user to a fake website that attackers use to commit criminal acts such as distributing malware or stealing credit card information, passwords, financial data, and other sensitive personal information.
When DNS cache poisoning occurs, the DNS cache server stores the illegal address provided by the attacker and then issues it to users requesting an authentic website. In most cases, this may look like a genuine website, making it harder for visitors to suspect that something is wrong.
Impact of DNS cache poisoning
DNS cache poisoning, also known as DNS spoofing, is usually difficult to detect and can have a large negative impact, especially on popular websites or web applications with large numbers of visitors or users. This poses a great risk, especially in industries such as banking, medicine, online shopping, e-commerce and others.
For example, suppose attackers manage to change the DNS records and IP addresses for Amazon. They will then point it to another server with a fake IP address that the attackers control or own. Anyone trying to access the genuine Amazon website will be redirected to the wrong address, which could contain malware to steal sensitive information.
In addition to websites, an attacker can insert a fake address for the mail server or other web applications such as banking applications. Hence, they will redirect all business email or transactions to the attacker’s server.
Since DNS changes are regularly propagated from one server to another, the poisoned cache can spread to other DNS servers and systems, resulting in significant damage.
For example, a fake entry can quickly spread to other machines, such as an ISP’s DNS servers, which then store it in their cache. From here, it extends to equipment near the user, such as browsers, mobile phones and routers, which will also store this fake entry in their caches.
How does DNS spoofing work?
Hackers can poison the DNS cache using a variety of methods.
During normal operation, DNS queries are usually stored or cached in a database that website users can query in real time. Typically, a DNS database has a list of Internet names and corresponding IP addresses. And it makes it easier to find and access websites using names rather than IP addresses, which can be very complicated and confusing.
For example, without a DNS system, users will have to remember the string of numbers that makes up the IP addresses for all the websites they want to visit or visit.
Unfortunately, DNS has several security flaws that attackers can exploit and insert fake Internet domain address records into the system. Typically, criminals send fake responses to the DNS server. The server then responds to the user who made the request, and at the same time the legitimate servers will cache the fake entry. Once the DNS caching server stores the bogus record, all subsequent requests for the now compromised record will receive the address for the server controlled by the attacker.
DNS cache poisoning involves inserting corrupted records into the DNS nameserver cache database, and attackers use different methods:
- When a user of a website or web application submits a request for a specific domain through a browser or online application, the DNS server first checks to see if the entry exists in the cache. If it is not saved, it will request information from the official DNS servers and then wait for a response. For some time, attackers can exploit this narrow latency period, temporarily assume the role of the original DNS, and issue a bogus response before the authorized server sends an authentic address. However, since the waiting period is usually very short, the success rate is very low.
- Another way is to send bogus responses from a DNS server posing as legitimate. Since there is usually no confirmation for DNS information, attackers can spoof a response from a DNS resolver when it queries a name server. This is also made possible by the fact that DNS servers use User Datagram Protocol (UDP) instead of TCP. DNS communication is usually insecure due to unencrypted information in UDP packets and lack of authentication. This allows attackers to easily change the responses and insert their fake addresses.
DNS vulnerabilities exploited by attackers
Security vulnerabilities in some web applications, as well as the lack of proper authentication of DNS records, make it easy for cybercriminals to compromise DNS responses and go undetected. Some of these vulnerabilities include;
Lack of verification and confirmation
DNS has a trusted design that does not require an IP address to be validated to verify its identity before sending a response. Since DNS resolvers do not validate the data in the cache, the invalid entry will remain there until it is manually removed or the TTL expires.
DNS server recursive vulnerability
When a recursive query is active, the DNS server receives the query and does all the work of finding the correct address and sending the response back to the user. If it does not have a cache entry, it will query other DNS servers on behalf of the client until it obtains an address and returns it to the user. Recursive query enablement is a security vulnerability that attackers can exploit to poison the DNS cache.
As the server looks for an address, it provides an attacker with the ability to intercept traffic and provide a bogus response. The recursive DNS server will then send a response to the user while storing the fake IP address in the cache.
Lack of encryption
Usually, the DNS protocol is not encrypted, and this allows attackers to intercept its traffic. In addition, servers do not check the IP addresses they are directing traffic to, so they cannot determine if it is genuine.
How to prevent DNS cache poisoning?
Monitoring DNS data in real time can help identify unusual patterns, user actions, or behaviors such as visiting malicious websites. Although it is difficult to detect a DNS cache infection, there are several security measures that companies and service providers can take to prevent it. Some of the measures that prevent DNS cache poisoning include using DNSSEC, disabling recursive queries, and more.
Set a limit on the level of trust
One of the vulnerabilities in DNS transactions is trust relationships between different DNS servers. This means that the servers do not authenticate the records they receive, which allows attackers to even send fake responses from their rogue servers.
To prevent attackers from exploiting this flaw, security groups must limit the level of trust their DNS servers have with others. Configuring DNS servers so that they do not rely on trust relationships with other DNS servers makes it difficult for cybercriminals to use their DNS servers to compromise records on legitimate servers.
Use DNSSEC protocol
Domain Name System Security Extensions (DNSSEC) use public key cryptography to sign DNS records, which adds validation functionality and allows systems to determine if an address is legitimate or not. This helps to validate and authenticate requests and responses and thereby prevent tampering.
In normal operation, DNSSEC will associate a unique cryptographic signature with other DNS information, such as CNAME and A records. The DNS resolver then uses this signature to authenticate the DNS response before sending it to the user.
Security signatures ensure that responses to requests that users receive are authenticated by the legitimate origin server. While DNSSEC can prevent DNS cache infection, it has disadvantages such as complex deployment, data disclosure, and zone enumeration vulnerability in earlier versions.
Use the latest DNS and BIND (Berkeley Internet Name Domain) software.
BIND version 9.5.0 or higher usually has advanced security features such as cryptographically secure transaction IDs and port randomization to help minimize DNS cache contamination. In addition, IT departments must keep their DNS software up to date and ensure that it is the most current and secure version.
In addition to the above, the following are other effective tools or techniques for preventing DNS spoofing:
- Configuring a DNS server to reply only with information related to the requested domain
- Make sure the cache server only stores data related to the requested domain
- Ensure HTTP is used for all traffic
- Disable DNS recursive query feature
DNS cache poisoning distracts domain users from malicious addresses from their intended target. Certain attacker-controlled servers can trick unsuspecting users into downloading malware or providing passwords, credit card information, and other sensitive personal information. To prevent this from happening, it is important to use security best practices.