DNS spoofing
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer (or any other computer).
Overview of the Domain Name System
A Domain Name System server translates a human-readable domain name (such as example.com
) into a numerical IP address that is used to route communications between nodes. Normally if the server does not know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time. This means if it receives another request for the same translation, it can reply without needing to ask any other servers, until that cache expires.
When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer (often an attacker's).[1]
Cache poisoning attacks
Normally, a networked computer uses a DNS server provided by an Internet service provider (ISP) or the computer user's organization. DNS servers are used in an organization's network to improve resolution response performance by caching previously obtained query results. Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or those serviced indirectly by its downstream server(s) if applicable.[2]
To perform a cache poisoning attack, the attacker exploits flaws in the DNS software. A server should correctly validate DNS responses to ensure that they are from an authoritative source (for example by using DNSSEC); otherwise the server might end up caching the incorrect entries locally and serve them to other users that make the same request.
This attack can be used to redirect users from a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server and replaces them with the IP address of a server under their control. The attacker then creates files on the server under their control with names matching those on the target server. These files usually contain malicious content, such as computer worms or viruses. A user whose computer has referenced the poisoned DNS server gets tricked into accepting content coming from a non-authentic server and unknowingly downloads the malicious content. This technique can also be used for phishing attacks, where a fake version of a genuine website is created to gather personal details such as bank and credit/debit card details.
Variants
In the following variants, the entries for the server ns.target.example would be poisoned and redirected to the attacker's name server at IP address w.x.y.z. These attacks assume that the name server for target.example is ns.target.example.
To accomplish the attacks, the attacker must force the target DNS server to make a request for a domain controlled by one of the attacker's nameservers.
Redirect the target domain's name server
The first variant of DNS cache poisoning involves redirecting the name server of the attacker's domain to the name server of the target domain, then assigning that name server an IP address specified by the attacker.
DNS server's request: what are the address records for subdomain.attacker.example?
subdomain.attacker.example. IN A
Attacker's response:
Answer: (no response) Authority section: attacker.example. 3600 IN NS ns.target.example. Additional section: ns.target.example. IN A w.x.y.z
A vulnerable server would cache the additional A-record (IP address) for ns.target.example, allowing the attacker to resolve queries to the entire target.example domain.
Redirect the NS record to another target domain
The second variant of DNS cache poisoning involves redirecting the nameserver of another domain unrelated to the original request to an IP address specified by the attacker.
DNS server's request: what are the address records for subdomain.attacker.example?
subdomain.attacker.example. IN A
Attacker's response:
Answer: (no response) Authority section: target.example. 3600 IN NS ns.attacker.example. Additional section: ns.attacker.example. IN A w.x.y.z
A vulnerable server would cache the unrelated authority information for target.example's NS-record (nameserver entry), allowing the attacker to resolve queries to the entire target.example domain.
Prevention and mitigation
Many cache poisoning attacks against DNS servers can be prevented by being less trusting of the information passed to them by other DNS servers, and ignoring any DNS records passed back which are not directly relevant to the query. For example, versions of BIND 9.5.0-P1[3] and above perform these checks.[4] Source port randomization for DNS requests, combined with the use of cryptographically secure random numbers for selecting both the source port and the 16-bit cryptographic nonce, can greatly reduce the probability of successful DNS race attacks.
However, when routers, firewalls, proxies, and other gateway devices perform network address translation (NAT), or more specifically, port address translation (PAT), they may rewrite source ports in order to track connection state. When modifying source ports, PAT devices may remove source port randomness implemented by nameservers and stub resolvers.
Secure DNS (DNSSEC) uses cryptographic digital signatures signed with a trusted public key certificate to determine the authenticity of data. DNSSEC can counter cache poisoning attacks. In 2010 DNSSEC was implemented in the Internet root zone servers.,[5] but needs to be deployed on all top level domain servers as well. The DNSSEC readiness of these is shown in the list of Internet top-level domains. As of 2020, all of the original TLDs support DNSSEC, as do country code TLDs of most large countries, but many country code TLDs still do not.
This kind of attack can be mitigated at the transport layer or application layer by performing end-to-end validation once a connection is established. A common example of this is the use of Transport Layer Security and digital signatures. For example, by using HTTPS (the secure version of HTTP), users may check whether the server's digital certificate is valid and belongs to a website's expected owner. Similarly, the secure shell remote login program checks digital certificates at endpoints (if known) before proceeding with the session. For applications that download updates automatically, the application can embed a copy of the signing certificate locally and validate the signature stored in the software update against the embedded certificate.
References
- Son, Sooel; Shmatikov, Vitaly. "The Hitchhiker's Guide to DNS Cache Poisoning" (PDF). Cornell University. Archived (PDF) from the original on 14 August 2017. Retrieved 3 April 2017.
- Storms, Andrew (2006). "Don't Trust Your Vendor's Software Distribution Methodology". Information Systems Security. 14 (6): 38–43 – via ProQuest Central.
- "BIND Security Matrix". ISC Bind. Archived from the original on 11 November 2011. Retrieved 11 May 2011.
- "ISC Bind Security". ISC Bind. Archived from the original on 11 November 2011. Retrieved 11 May 2011.
- "Root DNSSEC". ICANN/Verisign. p. 1. Archived from the original on 10 September 2017. Retrieved 5 January 2012.