DNS spoofing

From CNM Wiki
(Redirected from DNS cache poisoning)
Jump to: navigation, search

Any DNS spoofing (alternatively known as DNS cache poisoning, DNS tampering, DNS hijacking, or DNS redirection; hereinafter, the Spoofing) is the attack against the DNS protocol that aims to alternate IP addresses cached by DNS resolvers for a DNS record of the attacker choice.

Mechanism

In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for Internet service providers (ISP), they usually configure their nameservers to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the ISP and not require the series of lookups normally required.

This mechanism, however, is the target for the Spoofing attacks. In these attacks, the attacker aims legitimate DNS resolvers to have an attacker's IP address cached as a false DNS record. Most commonly, this false record can be an A record or NS record.

For example, the attacker would send a fake resolutions to legitimate DNS resolver and seek the attacker's IP address to be cached instead of or in addition to the legitimate IP address. The attacker then could display a fake login page and harvest users' logins and passwords. In the Man-In-The-Middle Attack, the attacker would use the harvested logins and passwords to access the legitimate IP address, so the victim would have regular experience working with familiar resource without knowledge that the attacker is between the victim and the legitimate resource.

Prevention

DNSSEC, SSL certificates and digital signatures are most common tools used to prevent the Spoofing.