Ethical Hacking: DNS Cache Poisoning
DNS cache poisoning, is a form of computer hackingin which corrupt Domain name system data is introduced into the DNS resolver's cache causing the name server to return an incorrect IP address. This results in trafic being diverted to the attacker's computer (or any other computer).
DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones.
DNS Poisoning Attack.?
The success of a cache poisoning attack relies on the existence of exploitable vulnerabilities in DNS software. Once an attacker has sent a forged DNS response, the corrupt data provided by the attacker gets cached by the real DNS name server. It is at this point that the DNS cache is considered “poisoned.” As a result, future users that attempt to visit the corrupted domain will instead be routed to the new IP address selected by the attacker. Users will continue to receive inauthentic IP addresses from the DNS until the poisoned cache has been cleared.
DNS cache poisoning attacks usually incorporate elements of social engineering to manipulate victims into downloading malware. The servers and websites that attackers use to replace authentic IP addresses are set up to appear legitimate while they actually contain malware in disguise. Attackers’ use of social engineering along with the fact that domain names still appear normal can make it very difficult for users to detect cache poisoning attacks. As a result, victims willingly download malicious content that they believe to be valid and from trusted sources.
How DNS Works.?
Whenever your computer contacts a domain name like “google.com,” it must first contact its DNS server. The DNS server responds with one or more IP addresses where your computer can reach google.com. Your computer then connects directly to that numerical IP address. DNS converts human-readable addresses like “google.com” to computer-readable IP addresses like “18.104.22.168”.
How To Prevent Cache Poisoning Attack.?
In order to further prevent cache poisoning attacks, IT teams should configure their DNS name servers to:
-Encrypt your sensitive traffic using an encrypting protocol such as SSH or IPsec.
-IPv6 has security benefits and options that IPv4 does not have.
-Virtual Private Networks (VPNs) can provide an effective defense against sniffing due to their encryption aspect.
-Implement IP DHCP Snooping on switches to prevent ARP poisoning and spoofing attacks.
-using a random source port (instead of UDP port 53)
-randomizing the query ID
-randomizing the case of the letters of the domain names that are sent out to be resolved. (That's because name servers will treat example.com and ExaMPle.com the same when it comes to resolving the IP address, but it will reply using the same case as the original query.)
-Manage your DNS servers securely. When it comes to your authoritative servers, you need to decide whether to host them yourself or have them hosted at a service provider or domain registrar. "No one cares about your security as much as you do, so we advise hosting and managing yourself -- if you have the skills to do so," says Brenton. "If you don't have those skills, then of course it is better to get someone else to do it for you. It's not just a matter of expertise, but also of scale because many organizations need to have DNS servers in three or four places around the world."