Trilight Zone

tricore · Guest

There are few malicious Internet attacks with as much potential for mischief as DNS (domain name system) cache poisoning. By compromising the naming system of a network, DNS cache poisoning enables all manner of attacks: phishing, distribution of malware, theft of sensitive corporate information, and a general loss of confidence in the integrity of networks.

The DNS is the distributed database of names and IP addresses that governs the Internet and most private networks. DNS servers take requests to translate names into IP addresses, and vice versa. By translating a name such as "www.ebay.com" into an IP address, a DNS server directs a client to the actual computer to which he or she needs to connect.

If an attacker were able to compromise the database of IP addresses on the DNS server, clients—potentially including other DNS servers acting in a parent-child relationship with the first server—could be tricked into using the wrong address for the computer they want to link to. Thus, the DNS is "poisoned."

In the case of the www.ebay.com example above, DNS cache poisoning could allow an attacker to present in the user's browser address bar a false eBay page that appears genuine by virtue of the genuine address. The site also could appear as an internal corporate site. Some naive security whitelisting software conceivably could be fooled by this technique and, believing the site to be trusted, a user could be induced into installing malicious software presented as an internal application update.

Client and proxy servers

DNS cache poisoning is not a primary attack technique, per se. It is something that an attacker does to fool users once their systems (generally DNS servers) have been compromised through other means by which, unfortunately, there are many. The technique can be used against client systems and proxy servers as well. Because of the great performance demands placed upon DNS servers, caching often is used at network perimeter systems known as proxy servers, and on client systems themselves, so that they do not have to look up DNS entries that have been recently retrieved. An attack against these systems could be used to poison the local cache.

Being aware of vulnerabilities

The most common way that DNS cache poisoning is perpetrated is via vulnerabilities in DNS servers that have been directly hacked by attackers.

DNS servers normally exchange information through a vast hierarchy so that changes in one network become available in others. But servers accept changes only from authoritative sources. One way in which an attacker can poison a DNS server is by tricking it into accepting changes from the wrong source.

Many old versions of DNS software are vulnerable to such attacks. Consider this vulnerability if using one of the many old versions of the ubiquitous BIND DNS software. Unfortunately, old versions of DNS software are still quite common.

During an attack, several requests for resolution of the same name are sent to the server. The attacker uses multiple source IP addresses for the requests, which are then passed upstream to another DNS by the server. DNS includes in its packet structure a number, known as a "nonce," that is used to track requests and responses. By using multiple requests, it is possible for the attacker to guess the value of the nonce with a good probability of success. The attacker then spoofs the response from the upstream server. If the spoofed response arrives at the attacked DNS server before the genuine response, it will be treated as authoritative.

Centrality: the critical issue

The centrality of DNS to the function of the network makes many IT administrators skittish about making changes to a server that appears to be working well. But it is DNS's centrality that makes it essential to be protected against attacks.

For instance, Microsoft's DNS software offers protection against what is known as "cache pollution," but the appropriate service pack level must be running on the server for it to be effective.Newer versions of BIND also have mechanisms built in to combat spoofing by adding more secure randomization into nonce generation, and by ignoring responses that are not relevant to a query made by the server. Transport-layer security between DNS servers, encrypting all traffic on port 53 (the DNS port), can also protect the DNS.

Measures to take

In the very long term, a new version of DNS called DNSSEC, which cryptographically signs requests and responses, should put an effective end to spoofing. But DNSSEC has a great deal of industry inertia to overcome before it can be considered mainstream. In the shorter term, the best strategy for protecting a DNS is to make sure that the system is running a current or nearly current version of DNS software. BIND 8 users in particular should look to upgrade. Make sure to turn on any features aimed at defeating spoofing and cache poisoning. And click here for a comprehensive list of links to papers and other information on DNS threats.