What is DNS Poisoning?

What is DNS Poisoning?
Riddhi Jindal
Riddhi Jindal

Created: 05/30/2020 9:55 AM - Updated: 05/30/2020 9:57 AM

What is DNS Poisoning?

It is an attack where the attacker can persuade the DNS resolving server to resolve a domain to an incorrect IP address.
If your DNS resolver is compromised, you may see a different site being loaded when you type something in your browser search bar.

How does it work?

Before understanding this, you have to understand that there are 2 different types of servers which work together to resolve a domain name

1.       Authoritative Server: This server continues the Ip address and domain name mapping for a specific domain and determine it when a resolving server queries it.

2.       Resolving Server: A resolving server is what an end-user sets up on his machine (either explicitly or via DHCP). While resolving for every domain name, resolver resolves it either from its cache or by asking the Authoritative server for that domain.

Now, the DNS cache poisoning attacker who wants to change the cache of a well-known DNS resolver would work something like following:
It would ask the resolver for a specific domain.Most of the time when it ask, resolver would serve it from cache. In response, it would also have the TTL (Time to live) of the response. This TTL will inform the resolving server how long it can cache the response.

The attacker server will query the domain when the cached response end or expire and this time just after the response, sends the response with a compromised IP.

The resolving server will take it as a genuine ip and respond with compromise IP and more importantly cache that response. If the attacker wants then he can also choose to give a very high value of TTL. For the attacking server to realise the resolving server believe it is the authoritative server, it needs to trick the IP of authoritative server and the request Id. It also needs to make sure that the attacked response have to be received before the response from authoritative server response.
From now on, every DNS query for the compromised domain in the spoofed resolver would resolve to incorrect IP address and it can be used to hack everything.
There are a little modified forms of this attack abut most depend on same underlying truth of poisoning the cache of DNS resolver.

Does that mean DNS is that vulnerable?
DNS protocol exist earlier than Internet and it was written for a network with known and trusted members. When it was adopted for Internet ( which means members cannot be trusted anymore) , it was adapted to have DNSSEC protocol. You can be re-assured mostly DNS Server today would be mend to be able to handle the poisoning attack (unless you are using your own installed DNS resolver with a naive as network admin)

Was this article helpful?

0 Out of 0 Marked As Helpfull

Have more questions? Please Contact Us