Attackers can poison a DNS cache by tricking DNS resolvers into caching false information, resulting in the resolver sending the wrong IP address to clients, and users attempting to navigate to a website will be directed to the wrong place.
What is DNS cache poisoning?
DNS cache poisoning is entering false information into a DNS cache so that DNS queries return an incorrect response and users are directed to the wrong websites. DNS cache poisoning is also known as ‘DNS spoofing.’ IP addresses are the ‘phone numbers’ of the Internet, enabling web traffic to arrive in the right places. DNS resolver caches are like a directory that lists these phone numbers, and when they store faulty information, traffic goes to the wrong places until the cached information is corrected. (Note that this does not disconnect the websites from their IP addresses.)
Because there is typically no way for DNS resolvers to verify the data in their caches, incorrect DNS information remains in the cache until the time to live (TTL) expires or until it is removed manually. Several vulnerabilities make DNS poisoning possible, but the chief problem is that DNS was built for a much smaller Internet based on a trust principle (much like BGP). A more secure DNS protocol called DNSSEC aims to solve some of these problems, but it has not been widely adopted.
What do DNS resolvers do?
DNS resolvers provide clients with the IP address associated with a domain name. In other words, they translate human-readable website addresses like ‘zpenterprises.co’ into machine-readable IP addresses. When a user attempts to navigate to a website, their operating system sends a request to a DNS resolver. The DNS resolver responds with the IP address, and the web browser takes this address and initiates loading the website.
How does DNS caching work?
A DNS resolver will save responses to IP address queries for a while. This way, the resolver can respond to future queries more quickly without communicating with the many servers involved in the typical DNS resolution process. DNS resolvers save responses in their cache for as long as the designated time to live (TTL) associated with that IP address allows them to.
DNS Uncached Response:
DNS Cached Response:
How do attackers poison DNS caches?
Attackers can poison DNS caches by impersonating DNS nameservers, requesting a DNS resolver, and then forging the reply when the DNS resolver queries a nameserver. This is possible because DNS servers use UDP instead of TCP, and there is no verification for DNS information.
DNS Cache Poisoning Process:
Poisoned DNS Cache:
Instead of using TCP, which requires both communicating parties to perform a ‘handshake’ to initiate communication, DNS requests and responses use UDP or the User Datagram Protocol. With UDP, there is no guarantee that a connection is open or the recipient is ready to receive. For this reason, UDP is vulnerable to forging – an attacker can send a message via UDP and pretend it is a response from a legitimate server by forging the header data.
Suppose a DNS resolver receives a forged response. In that case, it accepts and caches the data uncritically because there is no way to verify if the information is accurate and comes from a legitimate source. DNS was created in the early days of the Internet when the only parties connected were universities and research centers. There was no reason to expect that anyone would try to spread fake DNS information.
Despite these major points of vulnerability in the DNS caching process, DNS poisoning attacks are not easy. Because the DNS resolver does query the authoritative nameserver, attackers have only a few milliseconds to send the fake reply before the real reply from the authoritative nameserver arrives.
Attackers also have to either know or guess several factors to carry out DNS spoofing attacks:
- Which DNS queries are not cached by the targeted DNS resolver so that the resolver will query the authoritative nameserver
- What port the DNS resolver is using – they used to use the same port for every query, but now they use a different, random port each time
- The request ID number
- Which authoritative nameserver will the query go to
Attackers could also gain access to the DNS resolver in some other way. If a malicious party operates, hacks, or gains physical access to a DNS resolver, they can more easily alter cached data.
*In networking, a port is a virtual point of communication reception. Computers have multiple ports, each with its own number, and for computers to talk to each other, certain ports must be designated for certain kinds of communication. For instance, HTTP communications always go to port 80, and HTTPS always uses port 443.
DNS spoofing and censorship
Several governments have intentionally poisoned DNS caches within their countries to deny access to certain websites or web resources.
How will DNSSEC help prevent DNS poisoning?
DNSSEC is short for Domain Name System Security Extensions, a means of verifying DNS data integrity and origin. DNS was originally designed with no such verification, which is why DNS poisoning is possible.
Much like TLS/SSL, DNSSEC uses public key cryptography (a way of digitally signing information) to verify and authenticate data. DNSSEC extensions were published in 2005, but DNSSEC is not yet mainstream, leaving DNS vulnerable to attacks.
