What's the difference between DNS poisoning and DNS cache poisoning

Both DNS poisoning and DNS cache poisoning are one and the same thing. Both terms refer to DNS spoofing cyber-attack that uses security holes in DNS protocol to redirect traffic to incorrect DNS entries. This tricks the device into going to wrong and most often malicious websites.

What's the difference between DNS spoofing and DNS cache poisoning?

DNS spoofing is an attack based on DNS redirection in such a way that legitimate websites start to redirect users to malicious ones because of a compromised DNS server, which in turn spreads across servers. I. e. the real IP address becomes lost in all phonebooks everywhere, and only the fake entry remains.Cache poisoning is a method to spoof DNS when a particular DNS cache is replaced by a forged DNS entry that gives another IP destination of the same nameserver instead of an actual one. I.e., your personal phonebook's shortlist becomes corrupted, so instead of calling your grandma, you call someone else, because bad people replaced the IP in your personal phonebook.

What damage can DNS cache poisoning do?

First of all, when the DNS cache is poisoned, it means that the entries become corrupted. This means that once you try to go to some particular address, you instead get redirected somewhere else. If it spreads, it can quickly overwrite the correct entries with false ones through many servers like a virus, redirecting many users to phishing websites. This can potentially be devastating.One of the examples of how a large scale DNS poisoning works was in 2010 when China's servers were intentionally poisoned to restrict users from going to various sites. The poison even spilled over to the west, with users in other countries unable to log in to Facebook and YouTube. The reason for this was because at least one ISP began fetching DNS information from a server based in China.Smaller case DNS poisoning can lead to targeted user's attacks with fake replicas of genuine websites to get user's login credentials or financial information.

How to detect DNS cache poisoning?

DNS poisoning can be detected by monitoring DNS requests and discerning normal behavior and patterns, that are indicative of those of an attack. For example, an increase in DNS queries from a single source about a single domain is characteristic of a birthday attack. The attacker is trying to guess out the transaction ID of your DNS request (remember, the things that it also needs for an attack to succeed) so that the fake response would be sent before the real one. Eventually, it will sneak in a false response, but it will generate a bulk of queries that can be detected.

What is DNS tampering?

DNS tampering is synonymous with DNS spoofing, DNS poisoning, DNS hijacking, and DNS cache poisoning. All of these terms refer to corrupting the domain name system, diverting the internet traffic to an unintended destination.

What protocol can be used to prevent DNS poisoning?

DNS security protocol (DNSSEC) was developed as a security measure that counters DNS poisoning because it requires verification. The problem is that it isn't widely used as is rarely implemented.

What happens when you clear the DNS cache?

Clearing DNS cache removes all the stored entries. This means deleting the invalid records, too, so next time you go online, these addresses will be repopulated from your DNS provider once you type in the URL.

What is DNS amplification?

DNS amplification is a DDoS attack that uses small queries into a massive influx of traffic that completely overwhelms the target's network, effectively jamming its connection. The attacker initiates queries that get redirected to the target in large bulks completely overwhelming them.

What is a DNS brute force attack?

DNS brute force attack is a method to gather all subdomains of a particular domain by using scripts or other tools and sending legitimately looking queries. Often this is a precursor to other attacks once the attackers have a full picture of the subdomain network and directs the attacks through the weak points in the infrastructure.

What is a ping of death (POD) attack?

Ping of death is a type of DoS attack in which an attacker sends oversized packets that the target's system cannot handle, crashing targeted computers. Ping packets larger than 65,535 bytes violate the Internet protocol, so the attacker sends them in pieces. Once the package is reassembled, it disrupts the system overflowing the memory.

What is a smurf attack?

A smurf attack is a type of DDoS attack that exploits Internet Control Message Protocols by using spoofed victim's IP to generate infinite loops of queries between the network's servers. The larger the network, the more flooded the victims' computer will become.

What is a DNS attack?

Shopping basket with domain names on computer keyboard

A DNS attack is a cyberattack in which the attacker exploits vulnerabilities in the Domain Name System. This is a grave issue in cybersecurity because the DNS system is a crucial part of the internet infrastructure and at the same time, it has many security holes.

There are many different ways in which DNS can be attacked. DNS reflection attacks, DoS, DDoS, and DNS poisoning are just some of the attack types DNS is susceptible to.

In this article, we'll be discussing DNS attacks and how we can respond to them.

What is DNS?

Before we get into the nuts and bolts of how the attacks happen, let's go through some of the basics of how the DNS or domain name system works.

For the sake of simplicity, think of DNS as a massive phone book that refers to IP addresses with assigned domain names. Your browser doesn't "understand" domain names – to retrieve a website, it needs the IP address of the server where it is hosted. So, when you enter a domain name, this DNS phone book finds the IP to connect to.

DNS cache

The lookup process wouldn't be very efficient if you had to go through the whole phone book each time you're calling your mom and dad. Likewise, your computer doesn't always have to contact a remote DNS server each time it needs an IP address – for that, it relies on the DNS cache, which is historical DNS lookup information, stored on your browser, OS, router, and at other steps of the DNS lookup process.

If you're trying to visit a site that your closest DNS resolver doesn't know the assigned IP address of, it will ask other DNS servers until it finds the IP. The DNS server then learns of this new site and ads the assigned IP address to the domain name, which is further shared across other DNS servers.

DNS attack

When hackers take advantage of vulnerabilities in the Domain Name System (DNS), we call this a DNS attack.

Some of the most common types of DNS attacks are the DDoS attack, DNS rebinding attack, cache poisoning, Distributed Reflection DoS attack, DNS Tunneling, DNS hijacking, basic NXDOMAIN attack, Phantom domain attack, Random subdomain attack, TCP SYN Floods, and Domain lock-up attack. We'll look at each of them in this article.

DoS and DDoS attacks

A Distributed Denial-of-Service (DDoS) attack is a hostile attempt to interrupt the regular traffic of a targeted network or server by bombarding the network or its surrounding infrastructure with internet traffic. Albeit DDoS isn’t necessarily a DNS attack, the DNS system is a popular target.

DDoS attacks achieve effectiveness by using multiple compromised computer systems as sources of attack traffic. Usually, attackers deploy bots to bombard the target with traffic. A case whereby only one bot is used is known as a Denial Of Service (DoS) attack and is mostly localized or has minimal effect. DDoS, on the other hand, has a more broad impact and will require more resources.

Exploited machines may include computers and other networked resources, such as Internet of Things (IoT) devices. To better understand how a DDoS attack works, imagine a highway artificially clogged up with cars, thereby preventing regular traffic and causing a standstill traffic jam.

There are many types of DDoS attacks aimed at DNS, some of which we will discuss below.

One of the biggest DDoS attacks was the Dyn DNS attack. Dyn is an Internet Performance Management (IPM) company - a pioneering DNS service provider. The Dyn attack occurred on the 21 October 2016. It affected a large portion of the internet in the US and Europe. The source of the attack was the Mirai botnet, consisting of IoT devices such as printers, Internet Protocol (IP) cameras, and digital video recorders.

NXDOMAIN attack

An NXDOMAIN attack is a DDoS variant when the DNS server is flooded with queries to non-existent domain names, flooding the authoritative name-server’s cache and stopping legitimate DNS requests altogether.

As you already know, your visits to websites are made possible by DNS converting domain names to an IP address. Suppose you’d type in asdasdasdasd.com into your address bar. What would happen then is that the DNS would not find the corresponding IP address because it doesn’t exist and return an error message. However, the resolver still tries to find the result, spending precious milliseconds to look through the cache, using CPU processing power, etc. In other words, before returning the error message, the request was processed along with other genuine requests.

Now, imagine that the attacker controls a botnet containing thousands of users. Each of them sends a request for a domain that doesn’t exist. This could clog the DNS server cache fairly quickly, denying service to users wanting to visit a legitimate site.

In recent times, some Internet Service Providers (ISPs) have started taking advantage of this situation in a harmful way. Instead of returning an error message, they direct these requests to servers with embedded ads, thus capitalizing on the invalid requests.

Phantom domain attack

A phantom domain attack is a type of DoS attack, directed towards an authoritative nameserver. It is done by setting up a bunch of DNS servers that don’t respond to DNS requests or do it very slowly, interrupting communications.

When a DNS server doesn’t know an IP address, it will look the address up on other connected DNS servers - this is known as recursive DNS. Phantom domain attacks are a method to intercept that lookup process. This wastes the server’s resources on non-functional or inefficient lookups.

When resources are fully consumed, the DNS recursive server may ignore legitimate queries and continue to focus on the non-responsive servers, causing severe performance issues.

Random subdomain attack

A random subdomain attack is very similar to NXDOMAIN attacks, the difference is that instead of asking the DNS for a non-existent domain, this attack asks for a non-existent subdomain.

Let us consider this scenario: imagine we want to access www.perfectacademy.org. Since this domain exists, we would definitely get a response to access the Perfect Academy website. If we then remove the "www" part and replace it with a random string, say dhutz.perfectacademy.org, the recursive DNS server will be forced to open a recursive context looking for that "dhutz" string from Perfect Academy's authoritative servers.

This will result in an NXDOMAIN response, that would be stored in the DNS server's negative cache (which is more like a store for non-existent domains). If the "dhutz" label was changed continuously, then each query would trigger a recursive query to Perfect Academy's authoritative servers, consuming recursive contexts and populating the negative cache.

In effect, NXDOMAIN is much broader in scope and scale. Meanwhile, the random subdomain attack targets the domain’s authoritative nameservers in particular.

TCP SYN floods

Transmission Control Protocol Synchronize (TCP SYN) flood attack is a form of DDoS attack that interrupts the handshake between the server and client by flooding it with arbitrary requests.

scheme showing how syn flood attack works

Rather than exhausting the server's processing power, this attack aims to exhaust the reserve of available open connections. It achieves this by sending bursts of synchronize (SYN) messages to the server faster than it can respond to them. A typical three-way handshake simply involves the client sending a synchronize (SYN) message to the server, the server responds with a synchronize-acknowledge (SYN-ACK) message. While the server is preparing a SYN-ACK message as a reply, the attacker generates more and more requests, ending up with a bulk of half-open connections eventually crashing the server.

DNS domain lock-up attack

The DNS domain lock-up attack is a form of DDoS attack with specially set up special domains and resolvers that also interrupt the handshake between the server and the client by not sending out the correct response but by replying with random data packets. They keep the server engaged and waiting for a proper reply (which never comes) exhausting the reserve of available connections.

The main difference between this and the TCP SYN flood is that the DNS domain lock-up attack happens in the next phase of a three-way TCP handshake. To successfully establish a connection, the client sends out a SYN message, the server replies with a SYN-ACK message and waits for an ACK message back from the client. DNS domain lock-up attack deliberately slows down the handshake, sending back ACK messages from the attacker-side. These false domains respond by sending a random or useless packet data to keep the DNS resolver occupied, unable to resolve the handshake. This completely negates all other legitimate connections for actual users.

DNS rebinding attack

DNS rebinding attacks use DNS vulnerabilities to bypass the web browser’s same-origin policy, allowing one domain to make requests to another - something that can have far-reaching consequences. For example, using DNS rebinding, an attacker may be able to gain control of your entire home network.

Picture this: you're browsing a shady website, which happens to have a malicious script running:

Share

Post

Share