DNS Cache Poisoning#
DNS cache poisoning involves the manipulation of the DNS resolver cache through the injection of corrupted DNS data. This is done to force the DNS server to send the wrong IP address to the victim and redirect the victim to the attacker’s system.
eg:
- Step 1. The attacker corrupts the data of the DNS server cache to impersonate the website. Before the attacker executes the DNS poisoning attack, the DNS server successfully resolves the IP address of the website to the correct address.
- Step 2. After the attacker executes the DNS poisoning attack, the DNS server resolves the website to the IP address of the attacker’s system.
- Step 3. The victim sends a request to the DNS server to obtain the IP address of the domain the website.
- Step 4. The DNS server replies with the IP address of the attacker’s system.
- Step 5. The victim sends an HTTP GET to the attacker’s system, and the attacker impersonates the domain
TIP You can configure DNS servers to rely as little as possible on trust relationships with other DNS servers in order to mitigate DNS cache poisoning attacks. DNS servers using BIND 9.5.0 and higher provide features that help prevent DNS cache poisoning attacks. These features include the randomization of ports and provision of cryptographically secure DNS transaction identifiers. In order to protect against DNS cache poisoning attacks, you can also limit recursive DNS queries, store only data related to the requested domain, and restrict query responses to provide information only about the requested domain. In addition, Domain Name System Security Extensions (DNSSEC), a technology developed by the Internet Engineering Task Force (IETF), provides secure DNS data authentication and provides protection against DNS cache poisoning.