What is DNS Poisoning?

When DNS is poisoned, this phonebook is tampered with, leading users to fake websites that mimic legitimate ones.

These fake sites can then be used to steal sensitive information like login credentials or credit card details or install malware on unsuspecting victims' devices. Essentially, DNS poisoning tricks your computer into going to the wrong online location, risking your data and privacy.

This can be achieved by manipulating host files, where the attacker alters host files on a user's device to resolve a domain name to the incorrect IP addresses. Rogue DNS servers are also a common culprit, as attackers set up malicious DNS servers and trick clients into using them.  

Every time you want to visit a website, your computer asks a DNS resolver – a special server that acts like a librarian – to look up the correct IP address for the web hosting location. To speed things up, this librarian keeps a record of recently looked-up numbers in their "cache," so they don't have to search the entire phone book every time.

DNS cache poisoning exploits this shortcut.  An attacker tricks the DNS resolver into associating a wrong number with a legitimate name, like listing a fake address for your bank's website.

After the attack, requests to the DNS cache server redirect the request to an incorrect entry. This "poisoned" entry remains in the cache for some time, potentially misleading multiple users until it's cleared or updated.

DNS caching is a mechanism that improves the efficiency and speed of domain name resolution. When a user's device needs to access a website, the operating system or application initiates a DNS query to resolve the domain name into an IP address.

This query is typically sent to a recursive DNS resolver, often operated by an internet service provider or a dedicated DNS provider.

The corresponding IP address will be stored in its cache if the resolver has previously resolved the same domain name. The resolver will immediately return the IP address from its cache, eliminating the need to query authoritative name servers. This process significantly reduces latency and improves website loading times for users.

However, suppose the resolver does not have the requested domain name in its cache. In that case, it will initiate a series of queries to authoritative name servers to obtain the correct IP address. DNS caching resolves primary domain names and DNS subdomains, ensuring faster access to subdomain-specific content.

This process involves querying root servers, top-level domain (TLD) servers, and the authoritative name servers for the specific domain. Once the resolver receives the IP address, it stores it in its cache for future use and returns it to the requesting device.

How Do Attackers Perform DNS Cache Poisoning?

Attackers typically employ techniques that exploit the lack of authentication and integrity checks in traditional DNS. Here's a breakdown of the DNS attack process:

Exploiting prediction and race conditions: Attackers often initiate a high volume of DNS requests for a targeted domain to a vulnerable DNS resolver.  Simultaneously, they send a forged DNS response containing a malicious IP address, hoping it arrives before the legitimate response from the authoritative name server. This exploits the resolver's predictive behaviour and creates a race condition.

Man-in-the-middle attacks: Attackers can position themselves between a user and a DNS resolver, intercepting and manipulating DNS queries and responses. By forging responses, they can redirect users to malicious websites without their knowledge. This can be achieved through ARP spoofing or compromising network infrastructure.

Compromising authoritative name servers: In some cases, attackers may gain unauthorized access to a domain's authoritative name servers. This allows them to modify the DNS records directly, effectively poisoning the entire DNS system for that domain.

It’s also worth noting that some DNS resolvers are configured as "open resolvers," meaning they accept and process DNS queries from any source on the internet. Attackers can exploit these open resolvers to amplify their attacks or to poison the caches of other resolvers that rely on them.

How to Detect, Prevent, and Fix DNS Poisoning?

DNS poisoning can be challenging to detect, but some red flags can indicate a potential issue. It could be a sign of DNS poisoning if you're unexpectedly redirected to a website that looks different or asks for login credentials when it shouldn't.

Other indicators include discrepancies in security certificates, unusual website addresses, or difficulties accessing websites that were previously accessible. Preventing DNS poisoning requires a multi-faceted approach:

1. Implement DNS security extensions (DNSSEC): DNSSEC adds a layer of authentication to DNS records, making it significantly harder for attackers to inject false information. It uses digital signatures to verify the authenticity of DNS data, ensuring that the information received by resolvers is genuine.

2. Use secure DNS resolvers: Opt for reputable DNS resolvers from trusted organisations like Google Public DNS or Cloudflare. These resolvers often employ security measures to mitigate DNS poisoning attacks.

3. Regularly update DNS software: Keep your operating system, browser, and DNS server software current. Software updates often include security patches that address known vulnerabilities exploited by attackers.

4. Monitor DNS activity: Implement network monitoring tools to track DNS queries and responses. This can help identify unusual patterns or suspicious activities that may indicate an attack.

5. Educate users: Train users to recognise potential signs of DNS poisoning, such as unexpected website redirects or requests for sensitive information. Encourage them to report any suspicious activity.

If you suspect DNS poisoning, take the following steps to fix the issue. The faster the resolution comes, the better for your organisation and your customers:

1. Flush your DNS cache: Clearing your DNS cache removes any potentially poisoned records. This can be done through command-line tools or restarting your router and devices.
    
2. Change Your DNS Server: Switch to a different, more secure DNS resolver.
    
3. Investigate and mitigate the source: If the poisoning originates from within your network, identify the compromised device or server and take appropriate action to remove the malicious software or configuration.

What is the Difference Between DNS Spoofing and DNS Poisoning?

While the terms are often used interchangeably, there's a subtle distinction between DNS spoofing and DNS poisoning. DNS spoofing is a broader term encompassing any attack that aims to falsify DNS data, including altering DNS records to redirect users to malicious websites.

DNS poisoning, or DNS cache poisoning, is a specific type of DNS spoofing that focuses on corrupting the cached DNS records on a DNS resolver. 

In essence, DNS poisoning is one method used to achieve DNS spoofing, but other techniques like man-in-the-middle attacks or compromising authoritative name servers also fall under the umbrella of DNS spoofing.

OVHcloud and DNSSEC

OVHcloud DNSSEC is the perfect way to enhance your domain's security. DNSSEC, or Domain Name System Security Extensions, is a suite of specifications that adds an extra layer of security to the Domain Name System (DNS).

DNSSEC uses digital signatures to verify the authenticity of DNS data. When a user's computer requests the IP address for your domain, OVHcloud DNSSEC verifies that the response is coming from an authorised DNS server and that the data hasn't been tampered with. Benefits of OVHcloud DNSSEC include:

• Increased security: Protect your website and users from DNS-based attacks.  
• Improved trust: Show your customers that you take their security seriously.
• Easy to activate: Enable DNSSEC with a single click in your OVHcloud control panel.