What is DNS poisoning?
Known as a malicious practice, DNS poisoning occurs when false information is introduced into a DNS resolver’s cache, causing the name server to return an incorrect IP address. This can divert traffic to an attacker-controlled website, potentially leading to further attacks such as phishing or distribution of malware.
Activities connected with DNS poisoning can include:
- Manipulating host files: These attacks can alter host files to resolve domain names to incorrect IP addresses.
- Rogue DNS servers: Attackers can also set up malicious DNS servers and trick clients into using them.
- DNS spoofing: With poisoning, attackers can also send fake responses to DNS queries, redirecting users to malicious sites.
What is DNS caching?
DNS caching refers to the temporary storage of DNS query results, including the mapping of domain names to IP addresses.
The flow of DNS caching follows these steps:
- Initial query: When a user requests to see a website, the system first checks the local DNS cache to see if the domain’s IP address is already stored.
- Resolver query: If the cache can’t get that information, the query is sent to a DNS resolver—which likely has its own cache.
- Authoritative server query: If the resolver cache also doesn’t have the information, it queries the authoritative DNS server for the domain, obtaining the IP address. In the process.
- Storing in cache: Then, the IP address is stored in the local cache and the resolver’s cache for future use, along with a Time-to-Live (TTL) value that sets how long the information can be used.
What is DNS cache poisoning? What is the difference between cache poisoning and DNS poisoning?
Simply put, DNS poisoning covers a broad class of attack methods, whereas DNS cache poisoning specifically targets the resolver’s cache. It’s also important to remember that DNS poisoning can target different parts of the DNS resolution process.
How does DNS cache poisoning work?
Normally, in cache poisoning, a DNS cache stores recent DNS query results to speed up subsequent requests for the same domain. When a cache poisoning attack strikes, an attacker introduces false information into this cache. The DNS resolver returns incorrect IP addresses for the following queries.
A cache poisoning attack covers:
- Sending a fake query: The attacker sends a query to the targeted DNS server, acting as a request for information from the authoritative server.
- Flooding with fake responses: Before the authoritative server can respond, the attacker floods the targeted server with fake responses. (This includes the wrong IP address.)
- Corrupting the cache: If the target of the attack accepts one of the fake responses, the incorrect information is stored in the cache.
Shield your business against DNS poisoning attacks with Vercara.
Nothing can fully prevent a DNS poisoning attack from happening, but there are measures you can take that can reduce your risk of harm when one occurs. For example, a good DNS network will help to mitigate this (and other) types of attacks.
At Vercara, our clients use our UltraDNS solution to protect their network against these types of attacks. Our network is built for security first and is trusted by global brands to provide them peace of mind while conducting business online.
