Hello Stacker, before we talk about DNS poisoning, we will get an understanding of what DNS is and how it works. As human we access information on websites via a domain name like google.com, youtube.com, etc. But the web browsers and the computer can’t understand these domain names as they interact with IP addresses. So the DNS (Domain Name System) is responsible for the translation of this human typed domain and subdomain names to IP address before web browser or computer make a request to the designated destination website. In fact, the Domain Name System (DNS) acts like the phonebook of the Internet. All the devices on the internet have a unique IP address that enables communication between each device. DNS servers eliminate the need for humans to memorize IP addresses such as IPv4 or more complex newer alphanumeric IP addresses such as IPv6. There are four DNS servers involved in loading a webpage;
- DNS Recursive Resolver: When a client(computer or web browser) can not find a DNS record in its cache, it will issue a request to DNS Recursive Resolve asking to find the IP for the given domain name. Typically the DNS Recursive Resolver is then responsible for making additional requests to satisfy the client’s DNS query. This is most probably manage by our ISPs.
- Root Nameserver: A root nameserver is at the top of the DNS hierarchy. They can refer requests to the Top Level Domain (TDL) Servers. If the DNS Recursive Resolver can not find the client DNS query details in its cache, it is directed to the Root Nameservers. Then root nameserver provides the references to the top-level domain servers such as .com, .org, .net, etc. It can be thought of like an index in a library that points to different racks of books.
- TLD Nameserver: The Top Level Domain can be thought of as a specific rack of books in a library. DNS Recursive Resolver obtains TDL reference details from Root Nameservers. Then forward the query to a specific TDL Nameserver in the search for a specific IP address, and it hosts the last portion of a hostname (In google.com, the TLD server is com). TDL still doesn’t know the exact IP address we need, but it will, however, know the location of the Authoritative Nameservers. It contains the information for domains with a specific extension .com, .org, .net, etc.
- Authoritative Nameserver: This holds the DNS record information for the domain they serve. This is usually the last step in the DNS process, providing the answer requested. It will return the IP address for the requested hostname back to the DNS Recursive Resolver that made the initial request. Authoritative Nameserver can be thought of as a dictionary on a rack of books in which a specific name can be translated into its definition.
DNS Poisoning
DNS Poisoning is a flaw in the DNS protocol where an attacker could inject a malicious IP address into the nameservers. So the attacker can route the user to go to the malicious website. When DNS protocol starts to resolve the domain name for some user, it will traverse through the DNS Recursive Resolver, Root Nameserver, TLD Nameserver, and Authoritative Nameserver, with some Query Id issued by the DNS Recursive Resolver. As this process takes a little bit of time, attackers have some time to brute-force stream of request with different random Query IDs by hoping to replace the user Query ID for a domain name resolver with his malicious domain nameserver IP address. The reason for the easy guessing of Query ID is, it uses incrementing mechanism for every new Query ID for the query requests received at nameservers back in the early 2000s. To avoid this issue, they later introduce the randomization of Query ID together with the randomization of source ports, which originates the DNS query. But the DNS uses UDP as the transport layer protocol currently, so there is no verification for DNS information received by the nameservers. Therefore, forging brute-force attacks on the nameservers still, possible although it is hard. Attackers also have to either know or guess several factors to carry out DNS Poisoning attacks;
- The queries that are not cached by the targeted DNS Recursive Resolver.
- The port number the DNS Recursive Resolver using because now they use random ports for each query.
- The Query ID (request ID) number.
- Authoritative Nameserver the query will go to.
To see the IP address of our DNS server we can issue ipconfig /all command. To see the DNS cache in our computer we can use the ipconfig /displaydns command. If you want to clear the DNS cache in your computer you can issue the ipconfig /flushdns command.
Ways to Prevent DNS Cache Poisoning
- Usage of DNS spoofing detection tools
- End-to-End Encryption
- Security extensions for Domain Name Systems
- Usage of Virtual Private Network (VPN)
- Refrain from clicking on links you don’t recognize
- Scan your computer for malware regularly
- Flush your DNS cache
- Usage of Virtual Private Network (VPN)
Apart from the above, in 2005, the DNSSEC was introduced, which stands for Domain Name System Security Extensions. DNSSEC was designed to verify the integrity of data and origins within DNS protocol. DNS was originally designed with no such verification. That is why attacks like DNS Poisoning are possible. To verify and authenticate data within DNS protocol, it uses public-key encryption by digitally signing information, as in SSL and TLS. But still, DNSSEC is not adopted by a majority of nameservers due to a bit of time-consuming nature in public-key encryption, making DNS still vulnerable to attacks.
This is my first time pay a quick visit at here and i am really happy to read everthing at one place