DNS Cache Poisoning - Domain Name Server Prevention

Page content

How DNS Cache Poisoning occurs

As most of us are aware, any computer with Internet facility uses a DNS server offered by the Internet Service Provider (ISP). As a rule, the DNS server exclusively serves the ISP’s customers but inevitably has some information caught by the previous users of the server.

This inherent deficiency has certain undesirable effects as it may pave the way for a nameserver’s clients to innocuously contact some unknown malicious hosts for certain services and open up the possibility for the web traffic, email and other important network data to be diverted to systems under the attacker’s control.

Another common method employed of DNS cache poisoning is the use of a recursive query sent by the attacker. The query can compel the target server to connect to the authoritative source of the domain in the query. Once connected, distorted information about one or more domains might be sent to the querying server and posted to the server’s cache. There are also several other methods attackers use to poison DNS caches.

Repurcussions of Cache Poisoning

To perform a cache poisoning attack, the attacker takes advantage of a flaw in the DNS (Domain Name Server) software that can make it accept incorrect information and serve them to users who make the request. Crackers generally employ a technique called pharming with the sinister intention of achieving identity theft, distribution of malware and spreading misleading/false information. Upon entering the site, the attacker will trick the user into leaving behind sensitive information to facilitate identity theft.

The second aim of an attacker is to take advantage of cache poisoning for automatic distribution of malware. Another aspect of pharming is to aid attackers who want to spread self-serving information about an organization. For instance, stocks can be manipulated for deceitful gains. So it becomes amply clear that there can be serious consequences if security aspect is neglected during the configuration and deployment of DNS servers

Researchers believe that many cache poisoning attacks can be prevented if DNS servers are made less trustful of the information passed to them by other DNS servers, coupled with total disregard of any DNS records passed back which are not pertinent to the query. Further, recursive queries should be limited to internal DNS servers. If Internet facing recursive queries are required, only queries from internal addresses should be accepted. This will help prevent outside systems from sending queries with malicious intent.