Cache Poisoning (or DNS Spoofing) is an attack technique where corrupted Domain Name Server (DNS) data is stored into the DNS Resolver’s cache and causes it to return an incorrect Internet Protocol (IP) Address. As a result of this, the network traffic is then redirected to the attacker’s (or any other) computer instead of the intended recipient. From here, the attacker could use this to supplement other types of attacks such as a Denial of Service (DoS) attack or a man-in-the-middle attack. It can even be used in aiding them to spread computer worms and other malware or even redirecting users to a malicious site owned by the attacker (this method can be used in phishing attacks).
Variations of Cache Poisoning
Cache Poisoning can be classified under a few different methods by how the attack is done even though the two types lead to the same end result. The first of which is for redirecting the attacker’s DNS to the target’s. This means whenever someone uses the target DNS, they instead use the attackers. From there, the attacker would then assign the target DNS with an IP Address of their choosing. This type of attack is done by having the vulnerable DNS cache an additional IP Address record and allows the attacker access to resolve queries for its entire domain.
Another type involves the attacker redirecting the DNS of a domain unrelated to the original request to an IP Address of their choosing. The attacker’s response, in this case, will be designed in such a way that a vulnerable DNS would allow the attacker access to resolve queries to its entire domain by caching unrelated authority information from the attacker’s response.
Mitigation and Prevention
The easiest method of defending against these attacks is for the DNS to be less trusting of the information it receives from other DNS servers and ignoring DNS records which are returned that are unrelated to the query. Source port randomization of DNS Requests combined with cryptographically-secure random numbers when selecting the source port and 16-bit nonce can also greatly reduce the chances of these attacks. It should be noted, however, that Network Address Translation (NAT) employed by routers, firewalls, proxies, and other gateway devices may rewrite the source ports in these requests. Port Address Translation (PAT) devices, in particular, are likely to remove randomized source port numbers employed by DNS servers.
Secure DNS (DNSSEC) utilizes cryptographic digital signatures signed by a trusted public key certificate to authenticate the data. As such, it’s a direct counter to Cache Poisoning even though it wasn’t commonly used nor implemented in the Internet’s roots servers until 2010.
Another method is to have end-to-end validation on established connections at either the transport layer or application layer. This is the use of Transport Layer Security (TLS) and digital signatures and it can greatly mitigate these types of attacks.