¿Qué es el envenenamiento de la caché de DNS? Cómo funciona y cómo funcionarev¿Medidas de referencia?
El envenenamiento de la caché de DNS es la inyección de entradas falsas o falsificadas en la caché de DNS para desviar a los usuarios a sitios web maliciosos.
El envenenamiento de la caché de DNS es el resultado de vulnerabilidades que permiten a los delincuentes enviar respuestas de DNS falsificadas, que luego el servidor de nombres de dominio (DNS) almacena en sus cachés.
Usúally, the compromised entry redirects the user to a fake website that the attackers use to perform criminal activities such as spreading malware or stealing credit card details, passwords, financial data, and other sensitive private información.
When a DNS cache poisoning occurs, the DNS cache server stores illegitimate address supplied by the attacker, and then issues this to users requesting for the genuine website. In most cases, this may look similar to the authentic website, hence making it harder for visitors to suspect anything is wrong.
Impact of a DNS cache poisoning
DNS cache poisoning, also known as DNS spoofing, is usually difficult to detect and can have a big negative impact, especialmenteally for popular websites or web applications with many visitors or users. This presents a big risk, especially in some sensitive industries such as banking, medical, online retail, e-commerce, and others.
Por ejemplo, suponiendo que los atacantes logran cambiar el Registros DNS y direcciones IP para Amazon. Luego lo señalarán a un servidor diferente con una IP falsa que los atacantes controlan o poseen. Cualquiera que intente acceder al sitio web genuino de Amazon será redirigido a la dirección incorrecta, que puede contener programas maliciosos para robar información confidencial.
Además de los sitios web, un atacante puede insertar la dirección falsa de un servidor de correo electrónico u otras aplicaciones web, como aplicaciones bancarias. En consecuencia, estos redirigirían toda la correspondencia o las transacciones de correo electrónico comercial al servidor del atacante.
Since the changes in DNS regularly propagate from one server to another, a poisoned cache can spread to other DNS servers and systems, hence causing a lot of damage. For example, the forged entry can quickly spread to other machines such as the ISP DNS servers, which will then store it in their cache. From here, it spreads further to equipment near the user, such as the computer browsers, mobile phones, and routers, which will also store that bad record in their caches.
¿Cómo funciona el envenenamiento de la caché de DNS?
Los delincuentes pueden envenenar la caché de DNS utilizando diferentes técnicas.
During normal operations, the DNS requests are usually stored or cached in a database that websites users can query in real-time. Generally, the DNS database has a list of the internet names and corresponding IP addresses. And this makes it easier to look for and access websites using names as opposed to the IP addresses, which can be very difficult and confusing.
For example, without the DNS system, users would need to remember the string of numbers that makes up the IP addresses for all the websites they want to visit or revLo es.
Unfortunately, the DNS has several security flaws that attackers can exploit and insert fake internet domain address records into the system. Usually, the criminals send forged responses to the DNS server. The server then responds to the user who made the request, and at the same time, the legitimate servers will cache the fake record. Once the DNS cache server stores the fake record, all the subsequent requests for the now compromised entry will receive an address for a server controlled by the attacker.
El envenenamiento de la caché de DNS implica la inserción de entradas corruptas en la base de datos de la caché del servidor de nombres DNS, y existen diferentes métodos que utilizan los atacantes. Éstos incluyen;
- When a website or web app user submits a request for a certain domain through a browser or online based application, the DNS server will first check if the entry exists in the cache. If not stored, it will request the authoritative DNS servers for the information, and then waits for a response. For some time, attackers would exploit this narrow waiting period, temporarily take over the role of origin DNS and issue a fake response before the authoritative server sends the genuine address. However, since the waiting period is usually very short, the success rate Es muy bajo.
- Another method involves sending forged responses from a DNS server impersonating the legitimate one. Because there is usually no verification for the DNS information, the attackers can forge the response from the DNS resolver as it queries a name server. This is also made possible by the fact that the DNS servers use the User Datagram Protocol (UDP) instead of the TCP. Usually, the DNS communication is insecure due to unencrypted information in the UDP packets and lack of authentication. This makes it easy for attackers to corrupt the responses and insert their fake addresses.
Vulnerabilidades DNS que explotan los atacantes
Las vulnerabilidades de seguridad en ciertas aplicaciones web, así como la falta de autenticación adecuada de los registros DNS, permiten a los ciberdelincuentes comprometer fácilmente las respuestas del DNS y pasar desapercibidos. Algunas de estas vulnerabilidades incluyen;
Falta de verificación y validación
The DNS has a trust first design that does not require verification of the IP address to confirm that it is genuine before sending a response. Since the DNS resolvers do not verify the data in the cache, an incorrect record will remain there until it is removed manually or the TTL expires.
Vulnerabilidad recurrente del servidor DNS
Cuando la consulta recursiva está activa, el servidor DNS recibe una consulta y hace todo el trabajo de buscar la dirección correcta y enviar la respuesta a un usuario. Si no tiene el registro en su caché, consultará a otros servidores DNS en nombre del cliente hasta que obtenga la dirección y se la devuelva al usuario. Habilitar la consulta recursiva presenta una vulnerabilidad de seguridad que los atacantes pueden aprovechar para realizar el envenenamiento de la caché de DNS.
Mientras el servidor busca la dirección, le brinda al atacante la oportunidad de interceptar el tráfico y proporcionar una respuesta falsa. El servidor DNS recursivo enviará la respuesta al usuario y, al mismo tiempo, guardará la IP falsa en la caché.
Lack of encryption
Usúally, the DNS protocol is unencrypted, and this makes it easy for attackers to intercept its traffic. Also, the servers to not verify that IP addresses where they direct the traffic to, hence, they cannot tell if it is genuine or fake.
Cómo prevent DNS cache poisoning?
Gestión del riesgo monitoring of the DNS data can help to establish if there are unusual patterns, user activities, or behaviors such as visiting malicious websites. And although detecting the DNS cache poisoning is difficult, there are several security measures, and practices businesses and service providers can take to prevent it from happening. Some of the measures that prevent DNS cache poisoning include the use of DNSSEC, disabling the recursive queries, and more.
Limitar el nivel de relaciones de confianza
One of the vulnerabilities with the DNS transactions is the high trust relationships between the different DNS servers. This means that the servers do not check the authenticity of the records they receive hence allowing the attackers to even send fake responses from their illegitimate servidores.
Parte superiorrevent attackers from exploiting this flaw, the security teams should limit the level of trust relationship their DNS servers have with others. Configuring the DNS servers not to rely on trust relationships with other DNS servers makes it harder for cybercriminals to use their DNS server to compromise records on the legitimate servidores.
Hay muchas herramientas para verificar Riesgo de seguridad de DNS.
Utilice el protocolo DNSSEC.
The Domain Name System Security Extensions (DNSSEC) uses public-key cryptography to sign the DNS records hence adding a verification feature and allowing the systems to determine if an address is legitimate or not. This helps to verify and authenticate the requests and responses and thereby prevfalsificación.
In typical operation, the DNSSEC protocol associates a unique cryptographic signature to other DNS information such as the CNAME and A records. The DNS resolver then uses this signature to authenticate the DNS response before sending it to the user.
The security signatures ensure that the query responses that users receive are authenticated by the legitimate origin server. Although the DNSSEC can prevent the DNS cache poisoning, it has drawbacks such as complex deployment, exposing data, and zone enumeration vulnerability in earlier versions.
¿No está seguro de tener DNSSEC habilitado en su dominio? Echa un vistazo al instante con Herramienta de prueba DNSSEC.
usa la latest versions of DNS and BIND (Berkeley Internet Name Domain) software.
A BIND version 9.5.0 or higher usually has enhanced security features such as cryptographically secure transaction IDs and port randomization, which helps to minimize DNS cache poisoning. Additionally, the IT teams must keep the DNS software up to date and ensure that it is the most recent and secure version.
Besides the above, the following are other effective means or practices to prevent DNS cache poisoning.
- Configurar el servidor DNS para responder solo con la información relacionada con el dominio solicitado
- Ensure that the cache server store only the data related to the requested domain
- Hacer cumplir el uso de HTTP para todo el tráfico
- Disable the DNS Recursive queries feature
Para Concluir
El envenenamiento de la caché de DNS desvía a los usuarios del dominio a malicioso addresses away from their intended target. Some attacker-controlled servers may trick the unsuspecting users into downloading malware or providing passwords, credit card information, and other sensitive private data. To prevent this from happening, it is important to employ the best security practices.
