How Does a DNS Work?
Every time when you type an address of a website into your browser, the following things happen:
1. A DNS server is contacted.
Your computer must reach out to the DNS server (DNS Resolver) for more information.
2. The DNS looks up a numerical address.
Computers understand server addresses made up of numbers and dots only. If you've never searched for this site before, your computer will ask another server for help.
3. A DNS resolver completes the query.
Your human-optimized address (e.g., yahoo.com) is switched to a numerical version, i.e. an IP address similar to 102.154.112.217
4. You're sent to your site.
With the correct numerical address, you head to the proper server that hosts your website.
5. Data is stored.
The internet server you use has a DNS server that stores translations from human addresses to numeric versions. The results of your search are stored here.
The beauty is that all this work happens in a few quick seconds, and you rarely notice any delay. But behind your screen, your computer is reaching out to others to understand where you should go next and what should happen.
The DNS system was developed in 1983, when the internet contained far fewer websites and servers. The developers never dreamed that anyone would want to play with the system or defraud users. That's why there is no built-in security measure for DNS. The biggest reason behind all this is that DNS was built for a much small internet. Next reason is that neither your computer verifies the identity of the server it talks to, nor it does validate the data that comes back.
-
Let's take an example which makes things easier to understand here.
Suppose you are a student and it is your first day at the campus. But your seniors at the campus has decided to play a prank on you all (new students). Imagine what they do is that they change all the numbers of all rooms of campus layout before your arrival. So what will happen next? Simple. All new students would get lost on the campus on their first day. They would show up in the wrong classrooms. Right? Now consider the even higher level of this prank. That your seniors have recorded all these fake numbers in the 'campus directory' too including all campus layout-maps. Thus, all new students will continue to head to the wrong classrooms, until someone finally notices the fake numbers and decides to correct the 'campus directory' as well as campus layout-maps.
DNS (cache) poisoning is very similar to above scenario. IP addresses are the 'room numbers' of the Internet, enabling web traffic to arrive in the right places. DNS resolver caches are like the 'campus directory,' and when they store faulty information, traffic goes to the wrong places until the cached information is corrected. (It is critical to note that it does not actually disconnect the real websites from their real IP addresses. Ok?)
DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address, to the clients. As a result all users who are trying to access to a legitimate website, will be directed to wrong or fake website.
-
How do attackers poison DNS caches?
Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a DNS resolver, and then forging the reply when the DNS resolver queries a nameserver. This is possible because DNS servers use UDP instead of TCP, and because currently there is no verification for DNS information.
The graphic here clearly shows how does it happen...
You need to remember that it is UDP, that is the culprit here.
Unlike TCP, which requires both communicating parties to perform a 'handshake' to initiate communication and verify the identity of the devices, DNS requests and responses use UDP, or the User Datagram Protocol. With UDP, there is no guarantee that a connection is open, that the recipient is ready to receive, or that the sender is who they say they are. UDP is vulnerable to forging for this reason – an attacker can send a message via UDP and pretend it's a response from a legitimate server by forging the header data.
If a DNS resolver receives a forged response, it accepts and caches the data uncritically because there is no way to verify if the information is accurate and comes from a legitimate source.
The Internet doesn’t just have a single DNS server, as that would be extremely inefficient. Your Internet service provider runs its own DNS servers, which cache information from other DNS servers. Your home router functions as a DNS server, which caches information from your ISP’s DNS servers. Your computer has a local DNS cache, so it can quickly refer to DNS lookups it’s already performed rather than performing a DNS lookup over and over again.
-
Despite these major points of vulnerability in the DNS caching process, DNS poisoning attacks are not easy. Because the DNS resolver does actually query the authoritative nameserver, attackers have only a few milliseconds to send the fake reply before the real reply from the authoritative nameserver arrives.
Attackers also have to either know or guess a number of factors to carry out DNS spoofing attacks:
-
Which DNS queries are not cached by the targeted DNS resolver, so that the resolver will query the authoritative nameserver
-
What port* the DNS resolver is using – they used to use the same port for every query, but now they use a different, random port each time.
-
The request ID number
-
Which authoritative nameserver the query will go to
Attackers can also gain access to the DNS resolver in some other way. For example, attackers hack, or gain physical access to a DNS resolver.
-
The Great Firewall of China Spreads to the US IN 2010
This isn’t just a theoretical problem — it has happened in the real world on a large scale. One of the ways China’s Great Firewall works is through blocking at the DNS level. In 2010, an Internet service provider outside of China mistakenly configured its DNS servers to fetch information from DNS servers in China. It fetched the incorrect DNS records from China and cached them on its own DNS servers. Other Internet service providers fetched DNS information from that Internet service provider and used it on their DNS servers. The poisoned DNS entries continued to spread until some people in the US were blocked from accessing Twitter, Facebook, and YouTube on their American Internet service providers. The Great Firewall of China had “leaked” outside of its national borders, preventing people from elsewhere in the world from accessing these websites. This essentially functioned as a large-scale DNS poisoning attack.
-
How can DNSSEC possibly help prevent DNS poisoning?
DNSSEC is short for Domain Name System Security Extensions, and it is a means of verifying DNS data integrity and origin. Much like TLS/SSL, DNSSEC uses public key cryptography (a way of digitally signing information) to verify and authenticate data. DNSSEC extensions were published in 2005, but DNSSEC is not yet mainstream, leaving DNS still vulnerable to attacks. Problem is that DNSSEC never gained momentum...
-
How To Prevent DNS Poisoning?
Website owners and DNS service providers have the mutual or shared responsibility of defending users from DNS attacks.
As a user, you can do at least one thing. KEEP FLUSHING YOUR DNS CACHE...For example windows users can launch Command-prompt or powershell and use the command: ipconfig /flushdns
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM