Tuesday, January 19, 2016

What is DNS Cache Poisoning ?

When we want to visit a website, we simply type the URL of the website in the address bar of the browser and the webpage loads. We do not need to memorize the IP address of the website. This process is called Domain Name Resolution. And, the servers responsible for this are called DNS Servers.

How Domain Name Resolution Works

When we type a URL of a website in the address bar of the browser, our computer contacts the Domain Name Servers or DNS Servers to resolve the IP address of the website. These DNS Servers are coordinated by ICANN or Internet Corporation for Assigned Names and Numbers. Normally, our computer uses a DNS Server which is used by our ISP or Internet Service Provider.

So, our computer makes a DNS query with the URL to the DNS Server and the corresponding DNS Server responds with proper IP address. And, using this IP address our browser opens the website in the browser.

What is DNS Cache

The Internet does not have a single DNS Server, because that would be very inefficient. Instead, our ISP runs its own DNS Servers, which cache information from other DNS Servers. Our home router has its own DNS Server, which caches information from ISP's DNS Servers. And, our computer has a local DNS cache, which stores responses of previous DNS queries made by the computer.

The function of DNS cache is to store responses of previously made DNS queries, so that next time the same DNS query is made, it doesn't have to contact the DNS Servers again. Instead, it can retrieve the IP address from its cache.

What is DNS Cache Poisoning

DNS Cache is said to be poisoned when stores a malicious entry instead of a valid one. For example, if we type google.com, for the first time our computer will make a DNS query to appropriate DNS Server and once it gets a response, it will store the IP address of google.com in its DNS Cache, with a timestamp upto which the entry remains valid.

Within that time, if we type google.com again, our computer will look at its DNS Cache for the entry.

Suppose, our computer has made a DNS query and waiting for a response from the DNS Servers. But, instead of an authentic response it gets a response containing IP address of the attacker's website. So, its DNS Cache will be poisoned and next time onwards, whenever the computer will try to resolve the IP address of the same URL, it will end up being to the attacker's website.

In similar way, DNS Cache of any DNS Server also may get poisoned. Because, ISP's DNS Server gets response from other DNS Servers and it stores the responses in its cache. If that cache is poisoned, the same poisoned entry will spread to all home routers and from them to all computers.

How Is DNS Cache Poisoning Done

When our computer makes a DNS query, it has to wait for certain amount of time before it gets a response from the DNS Servers. Within that time, if the attacker's DNS Server sends malicious response to the computer, the computer will not be able to recognize that it is a fraudulent response. And, if the attacker's DNS Servers send multiple such fraudulent responses, then the computer will be tricked to consider that fraudulent responses to be the authentic ones. Because, the authentic DNS Server will send a single response only.

As a result, the computer will discard the response from the authentic DNS Server and store the malicious response to its DNS Cache instead. And now, the computer's DNS Cache is poisoned. So, next time onwards whenever the computer will try to open the same URL, it will end up being in the malicious website controlled by the attacker. In similar way, cache of other DNS Servers also may get poisoned.

Purpose of DNS Cache Poisoning

An attacker may have many nefarious purposes behind DNS Cache Poisoning. One such purppose may be Pharming, in which lots of innocent traffic is forwarded to a website to generate advertising revenue illegitimately. For example, you may type facebook.com and end up being a website full of pop-ups and advertisements and controlled by hackers to generate monetary revenues.

Another purpose may be Phishing. In that case, the attacker may create a website that looks like a legitimate website and asks for actual username and password. The attackers can use those credentials for hacking the account and doing other malicious activities.

And, the other purpose may be spreading malware. If a malicious website opens up, it can easily spread malware even on just visiting the website, using Drive-By Download.


We can take a couple of steps to mitigate DNS Cache Poisoning attack.

  • Organizations should configure their DNS Servers to limit trust relationships with other DNS Servers. This will make it difficult for the attackers to use their own fraudulent DNS Servers for malicious purposes.
  • Domain Name Systems that use BIND 9.5.0 or higher include features that help in preventing DNS Cache Poisoning attack.
  • IT teams should configure their DNS name servers to limit recursive queries, store only data related to the requested domain and restrict query responses to only provide information about the requested domain.
  • DNS Servers should not run any services that are not needed. Extraneous services running on the DNS Server can make the DNS Cache Poisoning attack easier.
  • Use a good firewall which can detect DNS Cache Poisoning.
  • Update firmware and software with most recent security patches, so that security vulnerabilities are lesser.
  • Time period of each DNS entry should be short in DNS Cache, so that an entry does not stay longer. This will reduce the chances of using a poisoned DNS cache.
  • The most effective prevention mechanism of DNS Cache Poisoning is to use DNSSEC or Domain Name System Security Extensions. In DNSSEC, responses from DNS Servers are validated with digital signatures and cryptographic keys. As it will not be possible for attackers to duplicate cryptographic keys, it will be very difficult for attackers to introduce fraudulent DNS Servers to poison the DNS cache with malicious responses.

This was another article to make you aware of DNS Cache Poisoning. Hope you liked it.