DNS cache poisoning is a technique that tricks a DNS server into believing it has received authentic information when, in reality, it has not. Once the DNS server has been poisoned, the information is generally cached for a while, spreading the effect of the attack to the users of the server.

Normally, an Internet-connected computer uses a DNS server provided by the computer owner's Internet Service Provider, or ISP. This DNS server generally serves the ISP's own customers only and contains a small amount of DNS information cached by previous users of the server. A poisoning attack on a single ISP DNS server can affect a large number of users, depending on how many users are serviced by the compromised DNS server.

Details

To perform a cache poisoning attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information. If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries locally and serve them to users that make the same request.

This technique can be used to replace arbitrary content for a set of victims with content of an attacker's choosing. For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates fake entries for files on the server he controls with names matching those on the target server. These files could contain malicious content, such as a worm or a virus. A user whose computer has referenced the poisoned DNS server would be tricked into thinking that the content comes from the target server and unknowingly download malicious content.

Variants

In the following variants, the entries for the server ns.wikipedia.org would be poisoned and redirected to the attacker's nameserver at IP address w.x.y.z. These attacks assume that the nameserver for wikipedia.org is ns.wikipedia.org.

To accomplish the attacks, the attacker must force the target DNS server to make a request for a domain controlled by one of the attacker's nameservers.

Redirect the target domain's nameserver

The first variant of DNS cache poisoning involves redirecting the nameserver of the attacker's domain to the nameserver of the target domain, then assigning that nameserver an IP address specified by the attacker.

DNS server's request: what are the address records for subdomain.example.com?

subdomain.example.com. IN A

Attacker's response:

Answer:
(no response)

Authority section:
example.com. 3600 IN NS ns.wikipedia.org.

Additional section:
ns.wikipedia.org. IN A w.x.y.z

A vulnerable server would cache the additional A-record (IP address) for ns.wikipedia.org, allowing the attacker to resolve queries to the entire wikipedia.org domain.

Redirect the NS record of the target domain

The second variant of DNS cache poisoning involves redirecting the nameserver of another domain unrelated to the original request to an IP address specified by the attacker.

DNS server's request: what are the address records for subdomain.example.com?

subdomain.example.com. IN A

Attacker's response:

Answer:
(no response)

Authority section:
wikipedia.org. 3600 IN NS ns.example.com.

Additional section:
ns.example.com. IN A w.x.y.z

A vulnerable server would cache the unrelated authority information for wikipedia.org's NS-record (nameserver entry), allowing the attacker to resolve queries to the entire wikipedia.org domain.

Responding before the real nameserver

The third variant of DNS cache poisoning involves beating the real answer to a recursive DNS query back to the DNS server. DNS requests contain a 16-bit nonce, used to identify the response associated with a given request. If the attacker can successfully predict the value of the nonce and return a reply first, the server will accept the attacker's response as valid. If the server randomizes the source port of the request, the attack may become more difficult, as the fake response must be sent to the same port that the request originated from.

By sending a number of simultanious DNS requests to the server to force it to send more recursive requests, the probability of successfully predicting one of the request nonces increases [1]. This modification is a form of birthday attack.

Prevention and Mitigation

A secure version of DNS, DNSSEC, uses cryptographic electronic signatures signed with a trusted certificate to determine the authenticity of data. It is rarely used, therefore the majority of DNS records are not secured against spoofing.

This kind of attack may be mitigated by use of Transport Layer Security and electronic signatures. By using the secure version of HTTP, HTTPS, users may check whether the server's certificate is valid and belongs to the website's expected owner. For an applications that downloads updates automatically, the application can embed a copy of the data's signing certificate locally and validate the signature stored in the software update against the embedded certificate.

See also

• Domain Name System
• Root nameserver

External Links

• Microsoft Knowledge Base: How to prevent DNS cache pollution
• SANS DNS cache poisoning update