Also known as DNS spoofing, DNS cache poisoning is an attack designed to locate and then exploit vulnerabilities that exist in a DNS, or domain name system, in order to draw organic traffic away from a legitimate server and over to a fake one.
The threat of DNS cache poisoning made the news earlier this year in April when crypto giant MyEtherWallet’s DNS servers were hijacked and redirected legitimate users over to a phishing website.
As a result of the cache poisoning, multiple users were deceived into giving up their wallet keys before transferring their cryptocurrencies into another digital wallet associated with the hackers. All in all, the hackers stole around a hundred and sixty thousand dollars worth of Ethereum before the problem was identified and stopped.
This is just one example that illustrates how dangerous DNS cache poisoning can be. Another reason this kind of attack is dangerous is because it can easily spread from one DNS server to the next.
In this article, we’ll cover the subject of how DNS cache poisoning works and then some solutions you can apply to stop it should it ever happen to you.
How Does DNS Cache Poisoning Work?
Each time your browser contacts a domain name, it has to contact the DNS server first.
Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses.
This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses.
The server will then respond with at least one IP address (but usually more) for your computer to reach the domain name. Once your computer connects to the IP address, the DNS converts the domain name into an IP address that your computer can read.
Right now, your internet service provider is running multiple DNS servers, each of which caches (or saves) information from other servers as well. The Wi-Fi router you have in your home essentially acts like a DNS server as well, as it caches information from the servers of your ISP.
A DNS cache is “poisoned” when the server receives an incorrect entry. To put this into perspective, it can occur when a hacker gains control over a DNS server and then changes information in it.
For instance, they may modify the information so that the DNS server would tell users to look for a certain website with the wrong address. In other words, the user would be entering the ‘correct’ name of the website, but then be sent to the wrong IP address, and specifically, to a phishing website.
Earlier, we mentioned that one of the reasons why DNS cache poisoning is dangerous is because how quickly it can spread from one DNS server to the next. This is accomplished if and when multiple internet service providers are receiving their DNS information from the now hacker controlled server, which results in the ‘poisoned’ DNS entry spreading to those ISPs to be cached.
From that point on, it can spread to other DNS servers and home routers as well as computers will look up the DNS entry only to receive the wrong response, resulting in more and more people becoming a victim of the poisoning. Only once the poisoned cache has been cleared on every affected DNS server will the issue be solved.
How To Protect Against DNS Cache Poisoning
One of the tricky aspects of DNS cache poisoning is that it will be extremely difficult to determine whether the DNS responses you receive are legitimate or not. In the case of My Ethereum Wallet, they had very limited means to prevent the situation from occurring, and the issue was ultimately solved by their server providers.
Fortunately, there are still a number of measures that your organization can take to prevent such an attack from happening to you, so you should not be under the impression that DNS cache poisoning is impossible or nearly impossible to prevent.
For example, one thing you should do is have your DNS servers configured by an IT professional to rely very little on relationships with other DNS servers. This makes it much harder for a cyber-criminal to use their DNS server to corrupt their targets, meaning your own DNS server is less likely to be corrupted, and therefore you (and everyone in your organization) are less likely to be redirected to an incorrect website.
You can furthermore have your DNS servers configured to only store data that are related specifically to the requested domain and to limit query responses to only provide information that concerns the requested domain as well. The idea is that the server will be set up so that required services are the only ones permitted to run. By having additional services that are not required to run on your DNS server, you greatly increase the odds of an attack happening.
You should also ensure that the most recent version of the DNS is being utilized. This is because the most recent versions will use security features such as port randomization and transaction IDs that are cryptographically secure to help guard against poisoning attacks.
Another important defense against DNS cache poisoning, as MyEtherWallet advised in an announcement following the attack that occurred back in April 2018, is to look for the company’s name in the address bar (so in their case ‘MyEtherWallet Inc’).
This means the site is using an EV SSL/TLS certificate. This would help prevent people from falling victim to a poisoning attack, because they would make sure not to enter their personal details in to a hacker’s website. Not all companies use EV on their websites, so this isn’t a foolproof measure, but it can be a helpful tool when trying to determine if you’re on the right site.
An SSL/TLS certificate is simply a small data file installed on a web server that can bind the details of your organization to a cryptographic key. After it has been installed, the certificate will activate HTTPS protocol to enable a secure and encrypted connection between a browser and your web server. In the case of EV SSL/TLS Certificates, some of those organization details, including the company name as mentioned above, will be presented directly in the browser UI.
In summary, DNS cache poisoning is when an attacker exploits a DNS server to send a forged DNS response that will be cached by legitimate servers.
Subsequently, users who visit the corrupted domain will be sent to a new IP address that the hacker has selected, which is usually a malicious phishing website where victims can be manipulated into downloading malware or submitting login or financial details.
Taking the steps above will help defend your organization against DNS cache poisoning attacks.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.