Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

What is DNS Cache Poisoning? (Aka DNS Spoofing)

Data Security, Threat Detection

DNS cache poisoning visual of a blue screen and fingers crossed

DNS cache poisoning is a cyber attack that tricks your computer into thinking it’s going to the correct address, but it’s not. Attackers use DNS cache poisoning to hijack internet traffic and steal user credentials or personal data. 

Also known as DNS spoofing, DNS cache poisoning attacks attempt to trick users into entering their private data into unsafe websites.

Varonis can detect DNS cache poisoning attacks by monitoring DNS and detecting abnormal behavior in your user’s activity.

What is DNS Caching?

DNS cache poisoning or spoofing definition

Before we talk about the attack, we need a refresher on DNS and DNS caching. DNS is the worldwide catalog for IP addresses and domain names. DNS caching is the system that stores these addresses in DNS servers all around the world. 

To keep your DNS requests quick, the original developers created a distributed DNS system. Each server stores a list of DNS records it knows – this is called a cache. If your closest DNS server doesn’t know the IP address you need, it asks other DNS servers until it finds the IP address for the website you are trying to hit. Your DNS server then saves that new entry to your cache. 

Examples and Effects of DNS Cache Poisoning

DNS wasn’t designed to manage the modern internet at all. It’s gotten better over the years, but one misconfigured DNS server that pulled DNS entries from a server in China – and all of a sudden, no one can get to Facebook.  This incident demonstrates how dependent on DNS we are. One person misconfigures a server, and suddenly hundreds of millions of people feel the effects. 

WikiLeaks was also targeted by attackers who used a DNS cache poisoning attack to hijack traffic to their own WikiLeaks-like version. This was an intentional attack designed to keep traffic away from WikiLeaks with some success.

DNS cache poisoning attacks are sneaky and difficult to catch for average people. DNS is currently a trust first system, which is why it’s easy to take advantage of. Humans trust DNS to a fault, and never really check if the address in their browser is the address they expected. Attackers take advantage of this complacency and inattentiveness to steal credentials or more.

How Does a DNS Cache Poisoning Attack Work?

DNS cache poisoning visual of how it works

DNS cache poisoning is when your closest DNS server has an entry that sends you to the wrong address – usually one an attacker controls. Here are a few different techniques that attackers use to poison DNS cache. 

Response Forgery Using the Birthday Attack

DNS does not authenticate responses to recursive queries, so the first response is stored in the cache. Attackers use the “birthday paradox” to try to anticipate and send a forged response to the requestor. This birthday attack uses math and probability theory to make a guess. In this case, the attacker is trying to guess the transaction ID of your DNS request, so the faked response with the forged DNS entry gets to you before the real response. 

A birthday attack isn’t a guaranteed success, but eventually, an attacker will sneak a forged response into a cache. Once the attack does succeed, the attacker will see traffic from the faked DNS entry until the time-to-live (TTL) expires.

Kaminsky’s Exploit

Kaminsky’s exploit is a variation of the birthday attack presented at BlackHat 2008. 

First, the attacker sends a target resolver a DNS query for a non-existent domain, like “fake.varonis.com.” The resolver then forwards the query to the authoritative name server to get the IP address for the false sub-domain. At this point, the attacker floods the resolver with a huge number of forged responses, hoping that one of those forgeries matches the transaction ID of the original query. 

If they are successful, the attacker has poisoned the DNS cache of the targeted resolver with a forged IP address for – in this example – varonis.com. The resolver will continue to tell anyone who asks it that the IP address for varonis.com is the forged query until the TTL. 

Eavesdropping

And of course, an attacker with sufficient access to the network can watch the local DNS traffic and poison the cache with any number of techniques. However, if attackers are already in your network, you have other issues.

How To Detect DNS Cache Poisoning

DNS cache poisoning visual of how to detect it

So how do you detect a DNS cache poisoning attack? Monitor your DNS servers for indicators of possible attacks. Humans don’t have the computing power to keep up with the amount of DNS requests you will need to monitor. Apply data security analytics to your DNS monitoring to discern normal DNS behavior from attacks.

  • A sudden increase in DNS activity from a single source about a single domain indicates a potential Birthday attack. 
  • An increase in DNS activity from a single source that is querying your DNS server for multiple domain names without recursion indicates an attempt to find an entry to use for poisoning.  

In addition to monitoring DNS, monitor Active Directory events and File system behavior for abnormal activity. And even better, use analytics to correlate activity among all three vectors to add valuable context to your cybersecurity strategy. 

How To Protect Against DNS Cache Poisoning

DNS cache poisoning tips for prevention

Beyond monitoring and analytics, you can make configuration changes on your DNS server.

  • Limit recursive queries to protect against potential targeted poisoning attacks
  • Store only data related to the requested domain
  • Restrict responses to provide responses only about the requested domain
  • Force clients to use HTTPS

Do make sure you are using the latest versions of BIND and DNS software, so you have the latest security fixes.

And lastly, DNSSEC is a new DNS protocol that encrypts DNS requests to prevent forgery. This protocol has not been widely adopted yet, because it does slow down the DNS process. DNS over HTTPS (DoH) is a competing specification for the next version of DNS to keep DNS requests secure without sacrificing speed like DNSSEC. It will be interesting to see which one becomes the new standard.

DNS Cache Poisoning FAQ

See some common questions about DNS spoofing below.

Q: Are DNS Caching and DNS Spoofing the Same Thing?

A: Yes, DNS spoofing and caching are the same.

Q: How Does DNS Cache Poisoning Work?

A: DNS cache poisoning works by tricking your DNS server into saving a forged DNS entry. Traffic to the forged DNS entry goes to a server of the attackers choosing to steal data.

Q: Which Security Features Can Be Used to Protect Against DNS Cache Poisoning?

A: Monitoring, analytics, DNSSEC, Next-gen firewalls, CASB.

Q: How Can You Check For a DNS Cache Poisoning Attack?

A: Once DNS cache gets poisoned, it can be difficult to detect. It might be a better tactic to monitor your data and protect your systems from malware to protect from compromise caused by a poisoned DNS cache. 

Check out the Live Cyber Attack Lab to see how we use DNS monitoring to detect real cybersecurity threats.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.