DNS Cache Poisoning Attacks

Jul 7, 2024

DNS Cache Poisoning Attacks

Overview of DNS

  • DNS (Domain Name System): Links domain names (e.g., google.com) to IP addresses.
  • Purpose: Allows human-readable URLs to be translated to IP addresses for computers.
  • Changing IPs: IP addresses linked through DNS can change over time.
  • Cache: Both your computer and the DNS server maintain a cache to speed up subsequent lookups.

What is DNS Cache Poisoning?

  • Definition: An attack where a malicious IP address is injected into a name server's cache, misleading users to go to the attacker's site.
  • Less Common Now: More prevalent in earlier days of the internet.

How DNS Lookup Works

  1. Request Initiation: Your computer sends a query to a DNS resolver (often your ISP's DNS server).
  2. Cache Check: The DNS resolver checks its cache first.
  3. Recursive Resolution: If not in cache, the resolver queries up the chain (root server → top-level domain → authoritative server).
  4. Query ID: Each DNS query has a query ID.
  5. Response Time: Due to the steps involved, it takes time for the resolver to get an answer back.

Execution of the Attack

  • Opportunity Window: During the query resolution time, an attacker can send a spoofed response.
  • Correct Query ID: Attack succeeds if the spoofed response has the correct query ID and arrives before the legitimate response.
  • Query ID Prediction: Early implementations used incremental query IDs, making prediction easy.

Attack Example

  • Setup: Attacker sends multiple responses with guessed query IDs.
  • Nefarious Server: Attacker's server (e.g., 10.0.0.9) is sent as the response for a legitimate query (like google.com).
  • Cache Poisoning: Once the resolver accepts the malicious response, it caches the wrong IP with a validity period (TTL).
  • Subsequent Requests: Other users querying for the same domain will get the malicious IP until cache expires.

Mitigation Efforts

  • Random Query IDs: Rather than sequential IDs, modern resolvers use random query IDs (16-bit, ~65,000 possibilities).
  • Dan Kaminsky's Revelation: Discovered in 2008 a way to still guess query IDs by creating new subdomains (e.g., random1234.google.com) to force the cache to be refreshed.
  • Authoritative Name Server Trick: Attaches a malicious name server for the domain.
  • Port Randomization: Randomizing the source port further increases difficulty for attackers (~4 billion combinations).

Current and Future Solutions

  • DNSSEC (DNS Security Extensions): Uses certificates and public key infrastructure to ensure authenticity of DNS responses.
  • Adoption: Some top-level domains and name servers support DNSSEC; ongoing adoption.

Summary

  • Cache Poisoning Impact: Significant risks include phishing, credential theft, serving malware.
  • Complexity Increase: Mitigation strategies and DNSSEC make attacks much more difficult though not impossible.
  • Ongoing Defense: Continuous improvement and adoption of secure practices are essential.