Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

How Hackers Spoof DNS Requests With DNS Cache Poisoning

Data Security, Threat Detection

an illustration of a disguise on a computer screen indicating DNS spoofing might be occurring

Domain Name Server (DNS) Spoofing is a cyber attack that tricks your computer into thinking it’s going to the correct website, but it’s not. Attackers use DNS cache poisoning to hijack internet traffic and steal user credentials or personal data.

DNS cache poisoning and DNS spoofing are synonymous and often used interchangeably. But, to be precise you can think of them as the How and What of the same cyber attack. The hacker wants to trick users into entering their private data into unsafe websites. How will they do this? By poisoning the DNS cache. What they are doing is spoofing or replacing the DNS data for a particular website so that it redirects to the hacker’s server and not the legitimate web server. From there the hacker is primed to perform a phishing attack, steal data, or even inject malware into the victim’s system.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Varonis can detect DNS cache poisoning attacks by monitoring DNS and detecting abnormal behavior in your user’s activity.

What is DNS Spoofing and Cache Poisoning?

an eyedropper of a toxic substance poisons a URL to illustrate that DNS cache poisoning is occurring

Before we talk about the attack, we need a refresher on what is DNS and DNS caching. DNS is the worldwide catalog for IP addresses and domain names. Think of it like the phonebook for the internet. It translates end-user friendly URLs like Varonis.com to the IP address like 192.168.1.169 which are used by computers for networking.

DNS caching is the system that stores these addresses in DNS servers all around the world. To keep your DNS requests quick, the original developers created a distributed DNS system. Each server stores a list of DNS records it knows – this is called a cache. If your closest DNS server doesn’t know the IP address you need, it asks other upstream DNS servers until it finds the IP address for the website you are trying to hit. Your DNS server then saves that new entry to your cache for faster response times.

Examples and Effects of DNS Cache Poisoning

DNS wasn’t designed to manage the modern internet at all. It’s gotten better over the years, but one misconfigured DNS server that pulled DNS entries from a server in China – and all of a sudden, no one can get to Facebook.  This incident demonstrates how dependent on DNS we are. One person misconfigures a server, and suddenly hundreds of millions of people feel the effects.

WikiLeaks was also targeted by attackers who used a DNS cache poisoning attack to hijack traffic to their own WikiLeaks-like version. This was an intentional attack designed to keep traffic away from WikiLeaks with some success.

DNS cache poisoning attacks are sneaky and difficult to catch for average people. DNS is currently a trust first system, which is why it’s easy to take advantage of. Humans trust DNS to a fault, and never really check if the address in their browser is the address they expected. Attackers take advantage of this complacency and inattentiveness to steal credentials or more.

How Does a DNS Cache Poisoning Attack Work?

a three-step explanation of the DNS cache poisoning process

DNS cache poisoning is when your closest DNS server has an entry that sends you to the wrong address – usually one an attacker controls. Here are a few different techniques that attackers use to poison DNS cache.

Hijacking the Local Network With ARP Spoofing

The local network can be a surprisingly vulnerable target. Many administrators would think they have this locked down but the devil can be in the details. One common problem is work-from-home employees. Is their Wi-Fi secured? Hackers can crack a weak Wi-Fi password in just a few hours. Another one is open ethernet ports being exposed in hallways and public lobbies. Just imagine someone waiting in the lobby plugging into the ethernet cable intended for the lobby display.

Let’s take a look at how a hacker could potentially use access to the local network in one of those situations.

First, the hacker would create a phishing page which they can use to gather user credentials and other valuable data. They could then host this site locally on the network or remotely on a server with a single line of python code.

From there the hacker could then start monitoring the network with tools like Betterrcap. At this stage, they are mapping and exploring the target network, but traffic is still flowing through the router.

Next, the hacker would use ARP spoofing to restructure the network internally. ARP, or address resolution protocol, is used by devices on a network to associate the MAC address of a device with an IP address on the network. Bettercap will send out ARP messages telling all devices on the network that the hacker’s computer is the router. This allows the hacker to intercept all network traffic bound for the router.

Once all traffic is re-routed through the hacker’s computer, the hacker can run Bettercap’s DNS spoofing module. This will look for any requests to a targeted domain, and send a fake reply back to the victim. The fake request contains the IP address of the hacker’s computer, redirecting any request to the target website to the phishing page hosted by the hacker.

Now, the hacker can see traffic destined for other devices on the network and redirect requests for any website. The hacker can see anything the victim does on this page including collecting login credentials or serving up malicious downloads.

If a hacker can’t gain access to a local network connection they will resort to one of the following attacks.

Response Forgery Using the Birthday Attack

DNS does not authenticate responses to recursive queries, so the first response is stored in the cache. Attackers use the “birthday paradox” to try to anticipate and send a forged response to the requestor. This birthday attack uses math and probability theory to make a guess. In this case, the attacker is trying to guess the transaction ID of your DNS request, so the faked response with the forged DNS entry gets to you before the real response.

A birthday attack isn’t a guaranteed success, but eventually, an attacker will sneak a forged response into a cache. Once the attack does succeed, the attacker will see traffic from the faked DNS entry until the time-to-live (TTL) expires.

Kaminsky’s Exploit

Kaminsky’s exploit is a variation of the birthday attack presented at BlackHat 2008.

First, the attacker sends a target resolver a DNS query for a non-existent domain, like “fake.varonis.com.” The resolver then forwards the query to the authoritative name server to get the IP address for the false sub-domain. At this point, the attacker floods the resolver with a huge number of forged responses, hoping that one of those forgeries matches the transaction ID of the original query.

If they are successful, the attacker has poisoned the DNS cache of the targeted resolver with a forged IP address for – in this example – varonis.com. The resolver will continue to tell anyone who asks it that the IP address for varonis.com is the forged query until the TTL.

How To Detect DNS Cache Poisoning

So how do you detect a DNS cache poisoning attack? Monitor your DNS servers for indicators of possible attacks. Humans don’t have the computing power to keep up with the amount of DNS requests you will need to monitor. Apply data security analytics to your DNS monitoring to discern normal DNS behavior from attacks.

  • A sudden increase in DNS activity from a single source about a single domain indicates a potential Birthday attack.
  • An increase in DNS activity from a single source that is querying your DNS server for multiple domain names without recursion indicates an attempt to find an entry to use for poisoning.

In addition to monitoring DNS, monitor Active Directory events and File system behavior for abnormal activity. And even better, use analytics to correlate activity among all three vectors to add valuable context to your cybersecurity strategy.

How To Protect Against DNS Cache Poisoning

a list of four ways to prevent DNS cache poisoning

Beyond monitoring and analytics, you can make configuration changes on your DNS server.

  • Limit recursive queries to protect against potential targeted poisoning attacks.
  • Store only data related to the requested domain.
  • Restrict responses to only being about the requested domain.
  • Force clients to use HTTPS.

Do make sure you are using the latest versions of BIND and DNS software, so you have the latest security fixes.

If feasible, such as with remote employees, have all remote clients connect via a VPN to protect traffic and DNS requests from local snooping. Additionally, make sure to encourage a strong home Wi-Fi password to further reduce risk.

And lastly, use encrypted DNS requests. Domain Name System Security (DNSSEC) is a DNS protocol that uses signed DNS requests to prevent forgery. When using DNSSEC the DNS resolver needs to verify the signature with the authoritative DNS server which slows down the entire process. This has led to DNSSEC not being widely adopted yet.

DNS over HTTPS (DoH) and DNS over TLS (DoT) are competing specifications for the next version of DNS to keep DNS requests secure without sacrificing speed like DNSSEC. However, these are not perfect solutions as they can slow or outright prevent DNS monitoring and analysis being done locally. It’s also important to note that DoH and DoT can bypass any parental controls or other DNS level blocking being performed on the network. That being said Cloudflare, Quad9, and Google all have public DNS servers that can support DoT. Many newer clients are capable of supporting these newer standards but are disabled by default. You can find out more detailed information on  Varonis’s DNS security blog.

DNS spoofing replaces a legitimate website IP address with the IP of a hacker’s computer. It can be particularly tricky because of how hard it is to spot, from the end-user’s perspective they have put a completely normal-looking address in the URL bar of their browser. However, it is not impossible to stop. Risk can be mitigated by monitoring software like Varonis and employing the DNS over TLS encryption standard.

DNS Spoofing FAQs

Pore over some common questions about DNS spoofing answered below.

Q: Are DNS Cache Poisoning and DNS Spoofing the Same Thing?

A: Yes, DNS spoofing and caching refer to the same cyber attack.

Q: How Does DNS Cache Poisoning Work?

A: DNS cache poisoning works by tricking your DNS server into saving a forged DNS entry. Traffic to the forged DNS entry goes to a server of the attackers choosing to steal data.

Q: Which Security Features Can Be Used to Protect Against DNS Cache Poisoning?

A: Website owners can implement DNS spoofing monitoring and analytics. This includes upgrading their DNS servers to use DNSSEC or another encryption system such as DNS over HTTPS or DNS over TLS. Use of full end-to-end encryption such as HTTPS wherever possible can also prevent spoofing. Cloud Access Security Brokers (CASB) are extremely useful for this.

End-users can reset a potentially spoofed DNS cache by flushing their browser’s DNS cache periodically or after joining an insecure or shared network. Using a VPN can protect against DNS spoofing on a local network. Avoiding suspicious links will help prevent end-users from exposing their browser’s cache to risk.

Q: How Can You Check For a DNS Cache Poisoning Attack?

A: Once DNS cache gets poisoned, it can be difficult to detect. It might be a better tactic to monitor your data and protect your systems from malware to protect from compromise caused by a poisoned DNS cache.

Check out the Live Cyber Attack Lab to see how we use DNS monitoring to detect real cybersecurity threats.

Q: How Does DNS Communication Work?

A: When the end-user types a URL such as “Varonis.com” into their browser the following steps will occur:

  1. The browser will first check its local cache to see if it’s already stored the DNS data.
  2. If the browser does not have the data then it will ask the next upstream DNS server which will normally be your router on their local network.
  3. If the router doesn’t have the needed DNS entry in it’s cache then it will use an upstream DNS provider such as Google, Cloudflare, or Quad9.
  4. That upstream server will then receive the DNS request and check its cache.
    • 4.1 Assuming it does not already have the DNS data cached then it will start a recursive DNS resolver by first querying the DNS root servers asking “Who is handling .com”
    • 4.2 Then the resolver will query the top-level domain server for .com asking “Who is handling Varonis.com” the TDL then responds with an authoritative name server for the URL.
    • 4.3 The resolver then issues a query to the authoritative name server asking “What is the IP of Varonis.com?” the authoritative name server then responds with an IP address for the domain.

5. The DNS data then gets sent back down the chain to the end-user’s device. All along the way, each DNS server will cache that response for future use.

Q: How do Attackers Poison DNS Caches?

There is no single way a DNS cache can get poisoned, but some of the most common ways are: Having the victim click malicious links that use embedded code to alter the DNS cache in their browsers. Also, hackers can Hijack the local DNS server by using a man-in-the-middle spoofing attack. The attack uses ARP spoofing to redirect DNS requests to a DNS server controlled by them.

Q: What is DNS Cache Poisoning?

A: DNS cache poisoning is the act of replacing a DNS database entry with a malicious IP address that sends the end-user to a server controlled by the hacker.

Q: How Is DNS Spoofing Done?

A hacker performs a DNS spoofing attack by gaining access and altering a DNS cache or redirecting DNS queries to their own DNS server.

Q: What Is Meant By DNS Spoofing?

DNS spoofing means that the URL that a user enters in their browser such as varonis.com is not actually going to the legitimate IP address associated with that URL, but is instead being redirected to a malicious server controlled by a hacker.

Q: Why Is DNS Spoofing a Problem?

A: DNS spoofing is a problem because DNS is inherently trusting and often not secured with any kind of encryption. This means that a hacker can spoof a DNS entry and use it for data theft, malware infection, phishing, and preventing updates.

Q: What are the Threats Posed by a DNS Spoofing Attack?

The prime threat posed by DNS spoofing is data theft through the use of Phishing pages. Additionally, there’s a threat of malware infection by hosting legitimate-looking downloads that are actually infected with malware. Lastly, if the system relies on the internet for updates the updates can be prevented by altering their DNS entries so they don’t resolve to an actual website. This could also be applied to any website as a method of censorship.

Michael Raymond

Michael Raymond

Michael Raymond is a security researcher and video producer for the Null Byte and SecurityFWD YouTube Channels.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.