DNS Cache Poisoning

DNS stands for Domain Name System and is used to determine IP addresses from domain names. For example if you go to the website http://www.w3.org, your computer will request the IP address of www.w3.org The same thing will happen when you try to connect to your banks website at http://www.yourbank.com These DNS requests will normally be sent to one of your internet service provider DNS servers. These DNS servers will save (cache) information about domain names received from other queries. If the DNS server has some cached information related to any DNS information request, it will send it to the client computer.

DNS cache poisoning is a method of tricking a DNS server into saving incorrect or faked DNS information. The DNS server will then pass that information to other computers causing the effect of the incorrect DNS information to affect many users.

If you as an internet user attempt to go to http://www.yourbank.com your computer will attempt to retrieve the IP address information from your internet service provider's DNS server. If the DNS server you got the IP address information from for the domain, yourbank.com, was planted using DNS cache poisoning you may actually go to some other website without knowing it. Then when you enter your account ID information on a website designed to look like your bank's website (but is the attacker's website), the attacker will have that information and may be able to withdraw money from your account. This can be the consequences of DNS cache poisoning.

There have historically been several vulnerabilities in the DNS protocol which allow DNS cache poisoning attacks to succeed. Some of these weaknesses or vulnerabilities include:

  1. Extra information in a DNS reply packet would be cached by DNS servers as legitimate even if the extra information did not apply to information about the domain being queried.
  2. Some versions of BIND did not randomize transaction ID and the transaction IDs were numerically sequential making it easy for attackers to spoof DNS answers as though they were the authoritative server.
  3. Some operationg system characteristics had some implementations of pseudo random number generators that the next number could be predicted for the generated DNS randomized transaction IDs.

A DNS cache poisoning attack is performed by the use of a flaw in the DNS protocol, or one or more servers in the DNS system. Essentially the attacker will attempt to get an incorrect IP address associated with a specific domain name in the cached memory area of the DNS server. These attacks are partly possible since the DNS servers will not be sure all DNS query responses are from authoritative sources. Once a DNS server has it's cache poisoned, every user who uses that server for DNS information about the specific domain that the entry was poisoned for will get incorrect information until the cached data in the server expires. This may be several days.

During one type of DNS cache poisoning attack, the attacker will send a query to a DNS server to request information about a domain controlled by the attacker. The nameserver must eventually send a DNS query to a nameserver that the attacker administers. The nameserver administered by the attacker may along with the answer send additional information. If the receiving DNS server is vulnerable to caching extra information, the attacker would be successful in injecting DNS data about domains other than their own.

DNS cache poisoning prevention

Several methods to reduce DNS cache poisoning attacks include fixing the vulnerabilities in the DNS protocol and the DNS servers listed above. The DNS servers should only accept data into their cache that is from authoritative servers and not accept additional DNS information not associated with the original query. A new version of DNS called DNSSEC which uses digitally signed electronic signatures to be sure DNS servers are authentic has been developed but is not widely implemented on the internet.