DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver’s cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker’s servers (or any other computer system).
One of the reasons DNS poisoning is so dangerous is because it can spread from DNS server to DNS server. In 2010, a DNS poisoning event resulted in the Great Firewall of China temporarily escaping China’s national borders, censoring the Internet in the USA until the problem was fixed.
DNS attacks are very popular in hacking community, they could be run by cyber criminals and state-sponsored hackers for various purposes, including cyber espionage and financially motivated attacks.
A DNS is a critical component in a network because it is responsible for the translation of logical names into IP addresses, but an attacker could hit DNS servers to force to return an incorrect IP address and divert traffic to another computer managed by bad actors.
Year 2012 was prominent with more domain hijackings than ever. Basically global brand websites’ domain names have been hijacked for a couple of hours, where the traffic intended for these websites have been redirected to the hackers’ websites instead.
The victims are mainly big, corporate brands such as Google, Microsoft, Yahoo, PayPal and Kaspersky. The hackers see themselves as activists set out to disrupt the business of big corporate.
The real reason DNS cache poisoning is such a problem is because there’s no real way of determining whether DNS responses you receive are actually legitimate or whether they’ve been manipulated.
The CERT/CC researchers mentioned two solutions to prevent this kind of attacks, one at the user side and the other at the server side.
At the user level, one should use end-to-end encryption using PGP or S/MIME for emails, of course this solution can only protect the content of the email, but not the routing process
At the server level, it is possible to adopt the DNSSEC (DNS Security Extensions), a mechanism to guarantee the integrity of the DNS responses the issue should be solved by DNSSEC, which guarantees the integrity of the DNS responses, unfortunately only a limited number of domains currently deploy DNSSEC
As a business you want to make sure that your domain name is not hijacked. DNSSEC (DNS Security Extensions) is designed to prevent cache poisoning between the local DNS and the authoritative name servers (global DNS). This is done by digitally “signing” data so you can be assured it is valid. The digital signing must be deployed at each step in the lookup from root zone to the final domain name.
However, a domain with DNSSEC is no guarantee. The chain is not stronger than the weakest link, and the domain name is only one of several steps in the process.
There is still an important problem set left unresolved between the resolver and the client (your desktop or mobile device). This is commonly referred to as the last mile.
Make sure that your domain registrar supports DNSSEC. ICANN (The Internet Corporation for Assigned Names and Numbers) publishes list of domain registrars supporting DNSSEC.
< back to glossary