If not redirected, please click here https://www.thesecuritybuddy.com/securing-dns/what-is-dns-cache-poisoning/
When we want to visit a website, we
simply type the URL of the website in the address bar of the browser
and the webpage loads. We do not need to memorize the IP address of
the website. This process is called Domain Name Resolution.
And, the servers responsible for this are called DNS Servers.
How Domain Name Resolution Works
When we type a URL of a website in the
address bar of the browser, our computer contacts the Domain Name
Servers or DNS Servers to resolve the IP address of the website.
These DNS Servers are coordinated by ICANN or Internet Corporation
for Assigned Names and Numbers. Normally, our computer uses a DNS
Server which is used by our ISP or Internet Service Provider.
So, our computer makes a DNS query with
the URL to the DNS Server and the corresponding DNS Server responds
with proper IP address. And, using this IP address our browser opens
the website in the browser.
What is DNS Cache
The Internet does not have a single DNS
Server, because that would be very inefficient. Instead, our ISP runs
its own DNS Servers, which cache information from other DNS Servers.
Our home router has its own DNS Server, which caches information from
ISP's DNS Servers. And, our computer has a local DNS cache, which
stores responses of previous DNS queries made by the computer.
The function of DNS cache is to
store responses of previously made DNS queries, so that next time the
same DNS query is made, it doesn't have to contact the DNS Servers
again. Instead, it can retrieve the IP address from its cache.
What is DNS Cache Poisoning
DNS Cache is said to be poisoned when
stores a malicious entry instead of a valid one. For example, if we
type google.com, for the first time our computer will make a DNS
query to appropriate DNS Server and once it gets a response, it will
store the IP address of google.com in its DNS Cache, with a timestamp
upto which the entry remains valid.
Within that time, if we type google.com
again, our computer will look at its DNS Cache for the entry.
Suppose, our computer has made a DNS
query and waiting for a response from the DNS Servers. But, instead
of an authentic response it gets a response containing IP address of
the attacker's website. So, its DNS Cache will be poisoned and next
time onwards, whenever the computer will try to resolve the IP
address of the same URL, it will end up being to the attacker's
website.
In similar way, DNS Cache of any DNS
Server also may get poisoned. Because, ISP's DNS Server gets response
from other DNS Servers and it stores the responses in its cache. If
that cache is poisoned, the same poisoned entry will spread to all
home routers and from them to all computers.
How Is DNS Cache Poisoning Done
When our computer makes a DNS query, it
has to wait for certain amount of time before it gets a response from
the DNS Servers. Within that time, if the attacker's DNS Server sends
malicious response to the computer, the computer will not be able to
recognize that it is a fraudulent response. And, if the attacker's
DNS Servers send multiple such fraudulent responses, then the
computer will be tricked to consider that fraudulent responses to be
the authentic ones. Because, the authentic DNS Server will send a
single response only.
As a result, the computer will discard
the response from the authentic DNS Server and store the malicious
response to its DNS Cache instead. And now, the computer's DNS Cache
is poisoned. So, next time onwards whenever the computer will try to
open the same URL, it will end up being in the malicious website
controlled by the attacker. In similar way, cache of other DNS
Servers also may get poisoned.
Purpose of DNS Cache Poisoning
An attacker may have many nefarious
purposes behind DNS Cache Poisoning. One such purppose may be
Pharming, in which lots of innocent traffic is forwarded to a
website to generate advertising revenue illegitimately. For example,
you may type facebook.com and end up being a website full of pop-ups
and advertisements and controlled by hackers to generate monetary
revenues.
Another purpose may be Phishing.
In that case, the attacker may create a website that looks like a
legitimate website and asks for actual username and password. The
attackers can use those credentials for hacking the account and doing
other malicious activities.
And, the other purpose may be spreading
malware. If a malicious website opens up, it can easily spread
malware even on just visiting the website, using Drive-By
Download.
Mitigation
We can take a couple of steps to
mitigate DNS Cache Poisoning attack.
- Organizations should configure their DNS Servers to limit trust relationships with other DNS Servers. This will make it difficult for the attackers to use their own fraudulent DNS Servers for malicious purposes.
- Domain Name Systems that use BIND 9.5.0 or higher include features that help in preventing DNS Cache Poisoning attack.
- IT teams should configure their DNS name servers to limit recursive queries, store only data related to the requested domain and restrict query responses to only provide information about the requested domain.
- DNS Servers should not run any services that are not needed. Extraneous services running on the DNS Server can make the DNS Cache Poisoning attack easier.
- Use a good firewall which can detect DNS Cache Poisoning.
- Update firmware and software with most recent security patches, so that security vulnerabilities are lesser.
- Time period of each DNS entry should be short in DNS Cache, so that an entry does not stay longer. This will reduce the chances of using a poisoned DNS cache.
- The most effective prevention mechanism of DNS Cache Poisoning is to use DNSSEC or Domain Name System Security Extensions. In DNSSEC, responses from DNS Servers are validated with digital signatures and cryptographic keys. As it will not be possible for attackers to duplicate cryptographic keys, it will be very difficult for attackers to introduce fraudulent DNS Servers to poison the DNS cache with malicious responses.
This was another article to make you
aware of DNS Cache Poisoning. Hope you liked it.
Good article, thank you.
ReplyDeleteThank you.
ReplyDeleteThank you.
ReplyDelete