responses from other DNS servers, and it stores the responses in its cache. If that cache is poisoned, the same poisoned entry will spread to all home routers and from them to all computers.
How does the DNS cache poisoning work?
When our computer makes a DNS query, it has to wait for a certain amount of time before it gets a response from the DNS servers. Within that time, if the attacker’s DNS server sends a malicious response to the computer, the computer will not be able to recognize that it is a fraudulent response. And, if the attacker’s DNS servers send multiple such fraudulent responses, then the computer will be tricked into considering those fraudulent responses as the authentic ones. The authentic DNS server will send a single response only.
As a result, the computer will discard the response from the authentic DNS server and store the malicious response in its DNS cache instead. And now, the computer’s DNS cache is poisoned. So, next time onwards, whenever the computer tries to open the same URL, it will end up being on the malicious website controlled by the attacker. In a similar way, the cache of other DNS servers also may get poisoned.
The purpose of DNS cache poisoning
An attacker may have many nefarious purposes behind DNS Cache Poisoning. One such purpose may be pharming (What is pharming and how to prevent it?), in which lots of innocent traffic is forwarded to a website to generate advertising revenue illegitimately. For example, you may type facebook.com and end up being a website full of pop-ups and advertisements and controlled by hackers to generate monetary revenues.
Another purpose may be phishing (What is phishing and how to prevent it?). In that case, the attacker may create a website that looks like a legitimate website and asks for the actual username and password. The attackers can use those credentials for hacking the account and perpetrate other malicious activities.
And, the other purpose may be spreading malware. If a malicious website opens up, it can easily spread malware using drive-by download (What is a drive-by download ?), even when we do not initiate any download from the website.
How to prevent DNS cache poisoning?
We can take some steps to mitigate the DNS cache poisoning attack.
- Organizations should configure their DNS servers to limit trust relationships with other DNS servers. This will make it difficult for the attackers to use their fraudulent DNS servers for malicious purposes.
- Domain Name Systems that use BIND 9.5.0 or higher include features that help prevent the DNS Cache Poisoning attack.
- IT teams should configure their DNS name servers to limit recursive queries, store only data related to the requested domain and restrict query responses to only provide information about the requested domain.
- DNS Servers should not run any services that are not needed. Extraneous services running on the DNS Server can make the DNS Cache Poisoning attack easier.
- Use a good firewall that can detect DNS cache poisoning.
- Update firmware and software with the most recent security patches so that security vulnerabilities are fewer.
- The time period of each DNS entry should be short in the DNS cache so that an entry does not stay longer. This will reduce the chances of using a poisoned DNS cache.
- The most effective prevention mechanism for DNS cache poisoning is to use DNSSEC or Domain Name System Security Extensions (What is DNSSEC and how does it work?). In DNSSEC, responses from DNS Servers are validated with digital signatures and cryptographic keys. As it will not be possible for attackers to duplicate cryptographic keys, it will be very difficult for attackers to introduce fraudulent DNS servers to poison the DNS cache with malicious responses.
This is an introductory article on DNS cache poisoning. Interested readers who want to know more about various malware and cyberattacks may want to refer to the book “A Guide To Cyber Security.”
Security Fundamentals Practice Tests
The Security Fundamentals Practice Tests test one’s fundamental knowledge of cyber security. The practice tests are good for those who are preparing for various certification exams like the CCNA, CCNP, or CompTIA. They are also good for students and IT/security professionals who want to improve their understanding of cybersecurity.
0 Comments