What is DNS cache poisoning and how do you prevent it? DNS cache poisoning is also known as DNS spoofing, an attack designed to find and then exploit vulnerabilities that exist in a DNS or domain name system to attract organic traffic away from a legitimate server and to a fake server.
Tags: how to detect dns cache poisoning, dns cache poisoning example, dns cache poisoning attack tutorial, dns cache poisoning is, open dns cache poisoning, how to fix dns cache poisoning attack, dns cache poisoning attack tools, how to fix dns spoofing.
Earlier in April this year, when crypto giant MyEtherWallet’s DNS servers were hijacked and redirected legitimate users to a phishing website, the threat of DNS cache poisoning hit the headlines.
As a result of the cache poisoning, before transferring their cryptocurrencies into another digital wallet affiliated with the hackers, some users were tricked into giving up their wallet keys. All in all, before the issue was found and stopped, the hackers stole about a hundred and sixty thousand dollars worth of Ethereum.
This is only one example that demonstrates how dangerous poisoning of the DNS cache can be. Another explanation why this form of attack is dangerous is that it can spread quickly from one DNS server to the next.
We’ll cover the topic of how DNS cache poisoning works in this post, and then some alternatives that you can apply to avoid it should it ever happen to you.
How Does DNS Spoofing Work?
Now, lets talk about how DNS Cache poisoning works. Every time a domain name is contacted by your browser, it must first contact the DNS server.
Domain Name Servers (DNS) are the equivalent to a phone book on the internet. They hold a directory of domain names and translate them into addresses for Internet Protocol (IP).
This is important because, while domain names are easy to remember for individuals, computers or devices, websites based on IP addresses are accessible.
The server will then reply with at least one (but typically more) IP address for the domain name to be accessed by your device. When the IP address is connected to your computer, the DNS transforms the domain name to an IP address that can be accessed by your computer.
Your internet service provider is running several DNS servers right now, each of which often caches (or saves) data from other servers. As it caches data from your ISP’s servers, the Wi-Fi router you have at home practically functions like a DNS server as well.
- 4 Common Cybersecurity Threats – When You are Not at Home
- Fintech Sector is Under Cyber Attack – How Companies Protect their Data
- Kubernetes Cluster Deployment on CentOS (and Other Linux)
A DNS cache is “poisoned” when an incorrect entry is received by the server. To put this into perspective, when a hacker takes control over a DNS server and then alters data in it, it can happen.
They may change the details, for example, so that the DNS server can tell users to check for the wrong address for a certain website. In other words, the user would enter the ‘right’ name of the website, but would then be redirected to the wrong IP address and to a phishing website in particular.
We stated earlier that one of the reasons why DNS cache poisoning is dangerous is because it can spread from one DNS server to the next as fast as possible. This is done if and when the now hacker-controlled server receives their DNS information from several internet service providers, resulting in the ‘poisoned’ DNS entry spreading to all ISPs to be cached.
From that point on, the DNS entry can be searched for by other DNS servers and home routers as well as computers only to receive the wrong answer, resulting in more and more individuals being victims of the poisoning. The problem will be solved only once the poisoned cache has been cleared on any affected DNS server.
How To Protect Against DNS Spoofing
One of the tricky aspects of DNS cache poisoning is that deciding whether or not the DNS responses you receive are genuine would be extremely difficult. They had very little means to prevent the situation from happening in the case of My Ethereum Wallet, and the problem was eventually solved by their server providers.
Fortunately, to prevent such an attack from happening to you, there are still a range of steps that your company can take, so you should not be under the assumption that DNS cache poisoning is difficult or almost impossible to prevent.
For example, getting your DNS servers configured by an IT professional to rely very little on relationships with other DNS servers is one thing you can do.
This makes it much more difficult for a cyber-criminal to corrupt their targets using their DNS server, which ensures that your own DNS server is less likely to be compromised, because you (and anyone in your organization) are less likely to be redirected to an incorrect website.
In addition, you can only have your DNS servers configured to store data directly relevant to the requested domain and to restrict query responses to include only information that also concerns the requested domain. The principle is that the server would be set up so that the only services allowed to operate are the necessary services. You significantly increase the chances of an attack occurring by providing additional services that are not needed to run on your DNS server.
Recent Topics by the Author on DNS Spoofing
- How to Avoid DNS and DNS Spoofing Poisoning
- How to Secure your System against DNS attacks
- DNS Cache Poisoning Detection & Attacks Prevention
- Security Strategy Planning Guide to Prevent DNS Attacks
You can also check that you are using the most current version of the DNS. This is because security features such as port randomization and transaction IDs that are cryptographically protected can be used by the most recent versions to help defend against poisoning attacks.
As MyEtherWallet advised in an announcement following the attack that occurred back in April 2018, another significant protection against DNS cache poisoning is to look for the company’s name in the address bar (such as ‘MyEtherWallet Inc’ in their case).
This implies that an EV SSL/TLS certificate is being used by the site. This would help deter individuals from falling prey to a poisoning attack, so they would make sure that they do not enter their personal information on the website of a hacker. Not all businesses use EV on their websites, so this isn’t a foolproof measure, but when trying to decide whether you’re on the right site, it can be a helpful tool.
An SSL/TLS certificate is simply a small web server-installed data file that can connect your organization’s information to a cryptographic key. Upon activation, the certificate triggers the HTTPS protocol to allow the browser to connect to your web server in a secure and encrypted way. In the case of EV SSL/TLS Certificates, some of the specifics of the entity, including the name of the business as stated above, will be shown directly in the browser UI.
In summary, when an attacker exploits a DNS server to send a forged DNS response that will be cached by legitimate servers, DNS cache poisoning is
Users that visit the compromised domain will subsequently be sent to a new IP address chosen by the hacker, which is normally a malicious phishing website where victims can be fooled to download malware or send login or financial information.
Taking the above measures will help protect your organization from attacks against DNS cache poisoning.
Note: To provide a broader range of material for our readers, this blog post was written by a guest contributor from Tecophobia.com. In this guest author post, the views expressed are solely those of the blogger and do not inherently reflect those of Hybrid Cloud Tech.