Domain Name System (DNS) poisoning. Spoofing.

Updated: Sat, 11 Apr 2015 by Rad

DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's servers (or any other computer system).

DNS spoofing introduction

DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones.

One of the reasons DNS poisoning is so dangerous is because it can spread from DNS server to DNS server. In 2010, a DNS poisoning event resulted in the Great Firewall of China temporarily escaping China's national borders, censoring the Internet in the USA until the problem was fixed.

DNS attacks
DNS Poisoning, Spoofing
Credit: Manuel Paul, flickr. Licensed under Creative Commons Attribution-NoDerivs License.

Targets vary - big names, espionage and financial gain

DNS attacks are very popular in hacking community, they could be run by cyber criminals and state-sponsored hackers for various purposes, including cyber espionage and financially motivated attacks.

A DNS is a critical component in a network because it is responsible for the translation of logical names into IP addresses, but an attacker could hit DNS servers to force to return an incorrect IP address and divert traffic to another computer managed by bad actors.

Year 2012 was prominent with more domain hijackings than ever. Basically global brand websites' domain names have been hijacked for a couple of hours, where the traffic intended for these websites have been redirected to the hackers' websites instead.

The victims are mainly big, corporate brands such as Google, Microsoft, Yahoo, PayPal and Kaspersky. The hackers see themselves as activists set out to disrupt the business of big corporate.

DNS Cache Poisoning video explanation

How to prevent DNS poisoning attacks

The real reason DNS cache poisoning is such a problem is because there's no real way of determining whether DNS responses you receive are actually legitimate or whether they've been manipulated.

The CERT/CC researchers mentioned two solutions to prevent this kind of attacks, one at the user side and the other at the server side.

How to prevent attacks

  • At the user level, one should use end-to-end encryption using PGP or S/MIME for emails, of course this solution can only protect the content of the email, but not the routing process
  • At the server level, it is possible to adopt the DNSSEC (DNS Security Extensions), a mechanism to guarantee the integrity of the DNS responses the issue should be solved by DNSSEC, which guarantees the integrity of the DNS responses, unfortunately only a limited number of domains currently deploy DNSSEC

Chain strength depends on the weakest link

As a business you want to make sure that your domain name is not hijacked. DNSSEC (DNS Security Extensions) is designed to prevent cache poisoning between the local DNS and the authoritative name servers (global DNS). This is done by digitally "signing" data so you can be assured it is valid. The digital signing must be deployed at each step in the lookup from root zone to the final domain name.

However, a domain with DNSSEC is no guarantee. The chain is not stronger than the weakest link, and the domain name is only one of several steps in the process.

There is still an important problem set left unresolved between the resolver and the client** (your desktop or mobile device)**. This is commonly referred to as the last mile.

So what can you do in practice?

Make sure that your domain registrar supports DNSSEC. ICANN (The Internet Corporation for Assigned Names and Numbers) publishes list of domain registrars supporting DNSSEC.

Special offer for readers

< back to glossary

DNS poisoning - from around the web

< back to glossary

External IT glossary resources.