DNS cache poisoning is the injection of fake or forged entries into the DNS cache so as to divert users to malicious websites.

The DNS cache poisoning results from vulnerabilities that allow the criminals to submit forged DNS responses, which the domain name server (DNS) then stores in their caches.

Usually, the compromised entry redirects the user to a fake website that the attackers use to perform criminal activities such as spreading malware or stealing credit card details, passwords, financial data, and other sensitive private information.

When a DNS cache poisoning occurs, the DNS cache server stores illegitimate address supplied by the attacker, and then issues this to users requesting for the genuine website. In most cases, this may look similar to the authentic website, hence making it harder for visitors to suspect anything is wrong.

Impact of a DNS cache poisoning

DNS cache poisoning, also known as DNS spoofing, is usually difficult to detect and can have a big negative impact, especially for popular websites or web applications with many visitors or users. This presents a big risk, especially in some sensitive industries such as banking, medical, online retail, e-commerce, and others.

For instance, supposing the attackers manage to change the DNS records and IP addresses for Amazon. They will then point it to a different server with a fake IP that the attackers control or own. Anyone trying to access the genuine Amazon website will be redirected to the wrong address, which may contain malicious programs to steal sensitive information.

Image:  Imperva

Other than websites, an attacker can insert the fake address for an email server or other web applications such as banking apps. These would consequently redirect all business email correspondence or transactions to the attacker’s server.

Since the changes in DNS regularly propagate from one server to another, a poisoned cache can spread to other DNS servers and systems, hence causing a lot of damage. For example, the forged entry can quickly spread to other machines such as the ISP DNS servers, which will then store it in their cache. From here, it spreads further to equipment near the user, such as the computer browsers, mobile phones, and routers, which will also store that bad record in their caches.

How does DNS cache poisoning work?

Criminals can poison the DNS cache using different techniques.

During normal operations, the DNS requests are usually stored or cached in a database that websites users can query in real-time. Generally, the DNS database has a list of the internet names and corresponding IP addresses. And this makes it easier to look for and access websites using names as opposed to the IP addresses, which can be very difficult and confusing.

For example, without the DNS system, users would need to remember the string of numbers that makes up the IP addresses for all the websites they want to visit or revisit.

Unfortunately, the DNS has several security flaws that attackers can exploit and insert fake internet domain address records into the system. Usually, the criminals send forged responses to the DNS server. The server then responds to the user who made the request, and at the same time, the legitimate servers will cache the fake record. Once the DNS cache server stores the fake record, all the subsequent requests for the now compromised entry will receive an address for a server controlled by the attacker.

The DNS cache poisoning involves inserting corrupt entries into the DNS name server cache database, and there are different methods that attackers use. These include;

  • When a website or web app user submits a request for a certain domain through a browser or online based application, the DNS server will first check if the entry exists in the cache. If not stored, it will request the authoritative DNS servers for the information, and then waits for a response. For some time, attackers would exploit this narrow waiting period, temporarily take over the role of origin DNS and issue a fake response before the authoritative server sends the genuine address. However, since the waiting period is usually very short, the success rate is very low.
  • Another method involves sending forged responses from a DNS server impersonating the legitimate one. Because there is usually no verification for the DNS information, the attackers can forge the response from the DNS resolver as it queries a name server. This is also made possible by the fact that the DNS servers use the User Datagram Protocol (UDP) instead of the TCP. Usually, the DNS communication is insecure due to unencrypted information in the UDP packets and lack of authentication. This makes it easy for attackers to corrupt the responses and insert their fake addresses.

DNS Vulnerabilities the attackers exploit

Security vulnerabilities in certain web applications, as well as lack of proper authentication of DNS records, allow cybercriminals to easily compromise the DNS responses and go undetected. Some of these vulnerabilities include;

Lack of verification and validation

The DNS has a trust first design that does not require verification of the IP address to confirm that it is genuine before sending a response. Since the DNS resolvers do not verify the data in the cache, an incorrect record will remain there until it is removed manually or the TTL expires.

Recursive DNS server vulnerability

When the recursive query is active, the DNS server receives a query and does all the work of looking for the correct address and sending the response to a user. If it does not have the record in its cache, it will query other DNS servers on behalf of the client until it gets the address and returns it to the user. Enabling the recursive query presents a security vulnerability that attackers can exploit to perform DNS cache poisoning.

dns recursive query
DNS Recursive queries Image: Stackoverflow

As the server is looking for the address, it provides the attacker with an opportunity to intercept the traffic and provide a fake response. The recursive DNS server will then send the response to the user while at the same time saving the fake IP in the cache.

Lack of encryption

Usually, the DNS protocol is unencrypted, and this makes it easy for attackers to intercept its traffic. Also, the servers to not verify that IP addresses where they direct the traffic to, hence, they cannot tell if it is genuine or fake.

How to prevent DNS cache poisoning?

Real-time monitoring of the DNS data can help to establish if there are unusual patterns, user activities, or behaviors such as visiting malicious websites. And although detecting the DNS cache poisoning is difficult, there are several security measures, and practices businesses and service providers can take to prevent it from happening. Some of the measures that prevent DNS cache poisoning include the use of DNSSEC, disabling the recursive queries, and more.

Limit level of trust relationships

One of the vulnerabilities with the DNS transactions is the high trust relationships between the different DNS servers. This means that the servers do not check the authenticity of the records they receive hence allowing the attackers to even send fake responses from their illegitimate servers.

To prevent attackers from exploiting this flaw, the security teams should limit the level of trust relationship their DNS servers have with others. Configuring the DNS servers not to rely on trust relationships with other DNS servers makes it harder for cybercriminals to use their DNS server to compromise records on the legitimate servers.

There are plenty of tools to check DNS security risk.

Use the DNSSEC protocol.

The Domain Name System Security Extensions (DNSSEC) uses public-key cryptography to sign the DNS records hence adding a verification feature and allowing the systems to determine if an address is legitimate or not. This helps to verify and authenticate the requests and responses and thereby prevent forgery.

In typical operation, the DNSSEC protocol associates a unique cryptographic signature to other DNS information such as the CNAME and A records. The DNS resolver then uses this signature to authenticate the DNS response before sending it to the user.

DNSSEC DNS cache poisoning protection
Image: Nic

The security signatures ensure that the query responses that users receive are authenticated by the legitimate origin server. Although the DNSSEC can prevent the DNS cache poisoning, it has drawbacks such as complex deployment, exposing data, and zone enumeration vulnerability in earlier versions.

Not sure if you have DNSSEC enabled on your domain? Check out instantly with the DNSSEC Test tool.

Use the latest versions of DNS and BIND (Berkeley Internet Name Domain) software.

A BIND version 9.5.0 or higher usually has enhanced security features such as cryptographically secure transaction IDs and port randomization, which helps to minimize DNS cache poisoning. Additionally, the IT teams must keep the DNS software up to date and ensure that it is the most recent and secure version.

Besides the above, the following are other effective means or practices to prevent DNS cache poisoning.

  • Configuring the DNS server to respond with only the information relating to the requested domain
  • Ensure that the cache server store only the data related to the requested domain
  • Enforce the use of HTTPs for all traffic
  • Disable the DNS Recursive queries feature

Conclusion

DNS cache poisoning results in diverting the domain users to malicious addresses away from their intended target. Some attacker-controlled servers may trick the unsuspecting users into downloading malware or providing passwords, credit card information, and other sensitive private data. To prevent this from happening, it is important to employ the best security practices.