Helpful Ways to Protect Against DNS Cache Poisoning

11/27/2022

Help

A DNS cache poisoning attack aims to divert organic traffic from a reliable server to a phony one by identifying and exploiting weaknesses in the DNS or domain name system.

The danger of DNS cache poisoning gained attention earlier this year in April when the DNS servers of cryptocurrency company MyEtherWallet were taken over and used to send legitimate users to a phishing website. Multiple customers were tricked into handing over their wallet keys due to cache poisoning before transferring their bitcoins into another digital wallet linked to the hackers. Before the issue was discovered and resolved, the hackers had stolen almost $160,000 worth of Ethereum. This is one of the instances showing how harmful DNS cache poisoning can be. This type of assault is risky since it is simple to spread from one DNS server to the next.

This post will discuss DNS cache poisoning, how it occurs, and some safety precautions you may take if it ever affects you.

DNS Poisoning: What Is It?

Using the domain name system’s known flaws, hackers use a technique called DNS poisoning (DNS). A hacker can redirect traffic from one site to a fake version once it is finished. And because of how the DNS functions, the infection can spread.

DNS poisoning is a tactic the Chinese government uses to prevent access to websites that host information that the authorities view as offensive. Users in China could believe they are on the right website because it begins with https://www.facebook.com. However, when people enter this address owing to spoofing, they go to a different server. That server loads an entirely different file. 

How does DNS Work?

As they create their websites, web developers are encouraged to choose brief, approachable web addresses. By doing this, they might perform higher in search results, and their addresses let users know what the pages are about before clicking on them. However, the addresses used by people are not understood by other computers. A DNS is useful.

Whenever you enter a URL into your browser:

  • It makes contact with a DNS server. To obtain more details, your computer must connect to the DNS server.
  • An address is looked up via the DNS. Computers in server addresses understand only integers and dots. Your computer will contact a different server for assistance if you have never looked for this website.
  • A DNS resolver resolves the query. Your human-friendly address has been changed to a numerical one. Your webpage is directed to you. 
  • You navigate to the correct server that hosts your website using the correct numerical address.
  • Data is kept. Your chosen internet server has a DNS server that saves conversions of human addresses to their numerical equivalents. Your search outcomes are saved here.
  • This process takes only a few seconds, so you might not notice the delay. However, your computer is communicating with others behind the scenes to determine what should happen and where you should go next.

When the DNS system was created in 1983, there were fewer servers and websites on the internet. No security features were included since the developers never imagined that anyone would try to tamper with the system or trick users.

DNS Cache Poisoning Methods Used by Attackers

ARP Spoofing: Local Network Infiltration

A target that is unexpectedly exposed is the local network. Although many administrators might believe they have this under control, the hacker often lies in the details. Employees that work from home are one prevalent issue. Is the WiFi protected? In a matter of hours, hackers may crack a weak Wi-Fi password. Another is exposed open Ethernet ports in public lobbies and halls.

Imagine someone using the ethernet cable designated for the lobby display while they are waiting in the lobby.

Let’s see how one of those circumstances can allow a hacker to use access to the local network.

The hacker would first develop a phishing page to obtain user passwords and other important information. With just one line of Python code, they may then host this site locally on their network or remotely on a server.

The hacker might then begin keeping an eye on the network using programs like Betterrcap from that point on. Although traffic is still passing through the router as they map and explore the destination network.

The hacker would internally reorganize the network via ARP spoofing. Devices on a network utilize ARP, or address resolution protocol, to link a device’s MAC address to an IP address on the web. Bettercap notifies all networked devices that the hacker’s PC is the router by broadcasting ARP messages. As a result, the hacker can snoop on any network traffic headed toward the router.

The hacker can use Bettercap’s DNS spoofing module after redirecting all traffic through their computer. This will scan for all queries to the specified domain and send the victim a phony response.

Any requests made to the target website are forwarded to the hacker’s phishing page since the bogus request contains the IP address of their computer.

Now, the hacker can access network traffic intended for other devices and can reroute requests for any website. Any activity the victim undertakes on this page, such as gathering login information or distributing malicious downloads, is visible to the hacker.

A hacker will use one of the following attacks if they cannot access a local network connection.

Birthday Attack Response Forgery

The first response is kept in the cache since DNS does not authenticate answers to recursive queries. Attackers attempt to anticipate the requestor and provide a counterfeit reaction by using the “birthday paradox”. This birthday assault makes a guess using probability theory and math. In this instance, the attacker is attempting to determine the transaction ID of your DNS request, causing the forged DNS entry to arrive at your end before the legitimate response.

However unlikely it may be, an attacker will eventually smuggle a fake answer into a cache. Once the attack is successful, traffic from the bogus DNS entry will be visible to the attacker until the time-to-live (TTL) expires.

Kaminsky’s Exploit

The birthday attack introduced at BlackHat 2008 is modified in Kaminsky’s exploit.

To obtain the IP address for the fictitious sub-domain, the attacker first sends a target resolver a DNS query for an invalid domain, such as “fake.varonis.com.” The resolver then relays the query to the authoritative name server. The attacker now bombards the resolver with a massive number of forgeries hoping that one matches the initial query’s transaction ID.

If they are successful, the attacker will have used a faked IP address, like varonis.com, to poison the resolver’s DNS cache. Up to the TTL, the resolver will keep telling anyone who inquires that the IP address for varonis.com is the forged query.

The Best Way To Spot DNS Cache Poisoning

How do you recognize a DNS cache poisoning attack? Keep an eye out for signs of potential attacks on your DNS servers. The number of DNS requests you need to track is too significant for humans to handle. Use data security analytics for your DNS monitoring to separate attacks from typical DNS activities.

  • A rapid rise in DNS activity from a single source for a particular domain indicates a possible Birthday attack.
  • An attempt to discover an entry to use for poisoning is indicated by a spike in DNS activity from a single source that is requesting your DNS server for several domain names without recursion.

Watch for unusual activity in the File system and Active Directory events in addition to DNS monitoring. Employ analytics to compare activities across all three vectors to provide useful context for your cybersecurity approach.

How to Prevent DNS Cache Poisoning

User-end security measures aren’t extreme when trying to stop DNS spoofing. The ability to defend themselves and their users are slightly more empowering for website owners and server providers. Both sides must make an effort to stay away from spoofs to keep everyone safe.

For website owners and DNS service providers, here is how to prevent:

  • Tools for detecting DNS spoofing
  • Extensions for domain name systems security
  • Encryption from end to end

Here is how endpoint users can avoid this:

  • Never click on an unfamiliar link.
  • Check your computer frequently for infections.
  • To treat poisoning, clear your DNS cache.
  • Employ a virtual private network (VPN)

Prevention Advice for DNS Server Providers and Website Owners

It is entirely in your power to protect users as a website owner or a DNS server provider. To keep dangers out, you might use a variety of security measures and procedures. You would be wise to employ some of the following among these resources:

  • The counterpart of endpoint user security products, DNS spoofing detection programs actively check all incoming data before delivering it.
  • Domain name system security extensions (DNSSEC): Functioning as a DNS “confirmed real” label, DNSSEC works to prevent DNS lookup spoofing.
  • End-to-end encryption: Because hackers won’t be able to duplicate the special security certificate for the genuine website, encrypted data transferred for DNS requests and answers keep thieves out.

Prevention Advice for Endpoint Users

Users are particularly vulnerable in these circumstances. Therefore you should take this straightforward advice to prevent falling victim to a DNS poisoning attack:

  1. Never click on a link that is unfamiliar to you. Email, text messages, and social media links fall under this category. Avoid using URL shortening tools as much as possible because they can further hide link locations. Always choose to manually type a URL into your address bar to be extra safe. But only after you have ensured that it is authentic and authorized.
  2. Check your computer frequently for viruses. While DNS cache poisoning may not be detectable, your security software will assist you to find and get rid of any subsequent threats. You should always be searching for viruses, spyware, and other hidden concerns since faked sites can offer all kinds of dangerous programs. Malware may also deliver spoofs, which would be the opposite possibility. Always use a locally installed program rather than one that is being hosted online because poisoning could interfere with web-based results.
  3. If necessary, clear your DNS cache to resolve to poison. Cache poisoning persists in your system for a long time unless the infected data is removed. Opening the Windows “Run” program and entering the command “ipconfig /flushdns” will do this task. There are flush choices for Mac, iOS, and Android as well. These are typically accessible through a “network settings reset” option, turning on airplane mode, restarting the device, or entering a specific URL in the native web browser. Look up the instructions for your particular gadget.
  4. Make use of a virtual private network (VPN). Through private DNS servers that only accept end-to-end queries, these services provide you with an encrypted tunnel for all your web traffic. As a result, you get servers much more resistant to DNS spoofing and uninterruptible requests.

Web Cache Poisoning Attack : A Helpful Guide

This article will define web cache poisoning, describe how it functions, and discuss how to stop them.

Conclusion

In conclusion, DNS cache poisoning is when an attacker takes advantage of a DNS server to transmit a forged DNS response that dedicated servers will cache.

 Users who access the compromised domain will then be sent to the hacker’s new IP address, which is typically a dangerous phishing website where victims can be tricked into downloading malware or providing login or payment information.

Following the suggestions above, you can protect your business from DNS cache poisoning attacks.