Understanding DNS Cache Poisoning
DNS is an acronym for domain name system, it controls your domain name’s website and email settings. It helps convert domain names to IP addresses. A domain name is the information that you enter into a web browser in order to reach a specific website. An Internet Protocol (IP) address is the address that computers, servers and other devices use to identify one another online. The IP address is the language the computer understands.
The DNS server is like a phonebook for websites, when the computer sends the URL to the DNS server, the server checks its database and finds the corresponding IP address and let’s the computer know what the address is. Your computer now knows what the IP address and can visit the website.
The DNS cache is a temporary database of sites previously visited. When a request for a web address is made, the browser looks up the DNS cache to quickly retrieve it and thus a website’s URL can be resolved to its corresponding IP much more efficiently.
DNS cache poisoning is a type of attack on a DNS cache, diverting one from a legitimate site to a false one. DNS cache poisoning can divert users to malicious websites. Attackers do this by replacing the IP addresses stored in the DNS server with the ones under control of the attacker, so when a potential victim requests an address resolution for one of the poisoned sites, the DNS responds with the IP address for a different site, one controlled by the attacker.
DNS cache poisoning is dangerous because it can easily spread from one DNS server to another. Also, people’s personal and corporate information can be exposed to the attacker and victims can be manipulated into downloading malware or submitting login or financial details.
One of the tricky aspects of DNS cache poisoning is that it will be extremely difficult to determine whether the DNS responses you receive are legitimate or not, but there are few preventive measures you can take
- Keep your antivirus active and up-to-date.
- Set up and maintain your own DNS servers.
- Create and properly maintain your PTR (Pointer Records) zones. Even for local domains, it’s tedious, and boring, but very important. Especially for SMTP (Simple Mail Transfer Protocol) traffic.
- Use a respected ISP (Internet Service Provider) or DNS server. A good DNS server will never trust the first thing it receives from another server.
- In order to protect your own DNS cache, stay safe when browsing the internet. Don’t click on suspicious files, links, or banner advertisements. These might be attack vectors for malware that will alter your DNS cache.
- Use a DDoS (Distributed Denial-of-Service) mitigation provider to mitigate DDoS in the best possible way and keep your DNS servers secure and responding well at all times.
- Set up a two-factor authentication protection on your DNS server provider, if possible avoid phone call or SMS verification, and use Google Authenticator instead, which is way more secure.
- If you suspect your DNS cache is poisoned, clear the cache.
Image – innovativenoob.com, mis-solutions.com