Cache poisoning is also known as DNS cache poisoning. DNS or Domain Name System is a system that translates man-readable internet addresses into machine language numeric addresses. These numeric addresses are known as IP addresses.
When a user tries to access a website via his browser, the browser forwards the request to the DNS server. The DNS then looks up the corresponding IP address and reverts to the request. The browser receives the IP address and uses it to load the website or domain requested by the user.
DNS remembers the requests and stores the requested IP addresses in its memory. It helps the server reduce the revert time if the same domain request is received in the future.
This system nullifies the need to remember complex IP addresses associated with a webpage. Humans can remember the domain name, and DNS does the translation for the computer. However, the system has some loopholes that allow the hackers to carry out Cache Poisoning attacks.
What is Cache poisoning?
DNS Cache poisoning refers to adding an incorrect entry to the DNS Cache. Here is the most common process followed by hackers for cache poisoning.
- A browser submits a requester to the DNS resolver
- Hackers build a dupe DNS nameserver that matches the authentic domain
- When the DNS resolver contacts the nameserver, hackers respond to the request via a fake nameserver
- The DNS resolver receives this response and forwards it to the requesting browser
- The fake response is stored in the DNS cache for future reference
- Every time a user requests for this domain, he is redirected to the incorrect domain stored in cache memory
The success of this type of cache poisoning is that DNS uses UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). UDP does not verify the identity of the parties involved in the conversation. Hackers can easily alter the heading of UDP requests and respond to the request under pretend of a trusted DNS server.
There are several vulnerabilities that hackers can exploit for implementing a DNS cache poisoning attack. Some of these vulnerabilities are:
- Lack of identity verification and validation
- Recursive DNS server vulnerability (forged information spreads from one DNS server to another)
- Unencrypted DNS protocol
Cyber Security Risks Imposed by DNS Cache Poisoning:
DNS cache poisoning redirects a user to a fake and possibly malicious website. It may result in multiple cyber security risks.
- Data theft
- Malware infection
- Delaying security updates
Preventing DNS Cache Poisoning:
Once a forged entry is stored in DNS cache memory, it stays there until its Time To Live (TTL) expires. In the meantime, cache poisoning can spread to other DNS servers. So, it is required to delete the forged entry to prevent the DNS server from redirecting requests to the fake website.
Users can implement some measures to protect their server from cache poisoning attacks:
- Business organizations should hire an IT professional to configure DNS servers rather than relying on relationships with other DNS servers. It will prevent hackers from using their DNS server to corrupt or influence an organization’s server.
- Configure DNS server to run permitted services only. It limits the DNS server from running additional services not required by the organization. Limited exposure reduces the chances of an encounter with cache poisoning attacks.
- Make use of an SSL/TLS certificate that binds the company’s details to a cryptographic key. It activates the HTTPS protocol to secure and encrypt the connection between the browser and your web server.
Centex Technologies provides cyber-security services & IT consultation to help businesses ward off cyber-attacks. To know more, contact Centex Technologies at Killeen (254) 213 - 4740, Dallas (972) 375 - 9654, Atlanta (404) 994 - 5074, and Austin (512) 956 – 5454.