I find myself fond of DNS, as I’m sure most of you do. After all, if we had to search up websites by their IP address instead of putting in a name, we’d be less thrilled about actually using the Internet. What would you remember more? www.disney.com or 192.168.10.11?
While DNS has been nothing but convenient for us, there is a certain risk in the way that DNS works and is implemented. Security-wise, DNS is at risk of what is known as “cache poisoning”, also known as DNS spoofing. While this can be harmless, cybercriminals have used this form of sabotage as a way to trick users into visiting the wrong sites. So, what is it, how does it work, and how can you avoid it?
What is Cache Poisoning?
With DNS, a website name has an IP address linked to it. If you search for the aforementioned Disney.com, the connection will ask for the DNS information for Disney.com so it can receive an IP address. Quick, simple, and convenient for the user.
This is done by servers known as DNS “resolvers”. They “resolve” the domain name into an IP address that a computer can understand. But, resolvers cannot verify the information that is input into it, which leads to the risk of cache poisoning.
Cache poisoning occurs when false information is logged into a DNS cache. If someone wanted to, they could sabotage the DNS cache of Disney.com to lead to iwantyourmoney.com. No one is safe from this type of sabotage, not even entities such as the U.S. government.
How Does it Work?
When you search for a website, your search engine will make a request to a DNS resolver asking for the IP address. The IP address is then handed down to the search engine so you can connect to the site in question.
All an attacker would need to do to poison a DNS cache is to impersonate a DNS nameserver, send a request to a DNS resolver, and then forge the reply. Essentially, the attacker just switched the bathroom signs and let people walk into the wrong one.
Why Does it Work Like That?
DNS is a byproduct of the time when the Internet was on a small-scale, only being used for specific locations like universities. No one was ready to predict that DNS would be used for attacks, and that’s why it uses UDP.
UDP is a protocol that essentially lets data go unsupervised. While it’s not that secure, it’s pretty fast, which is why it’s mostly in use today for sites such as YouTube, Twitch, Netflix, etc., where speed is the difference between a 2-second buffer and a 5-minute buffer.
For a more secure form of DNS, we’d want to use TCP, which requires verification on both ends of the connection. Sure. It’s slower than UDP, but it doesn’t matter when it comes to things like DNS. The peace of mind that TCP would bring is worth the couple extra seconds that is gained by the use of TCP.
Preventing Cache Poisoning
So, while the process of cache poisoning sounds easy, it’s actually pretty difficult for an attacker to successfully poison a DNS cache. There are dozens of variables that an attacker would need to predict in order to reap success, such as the port that the DNS resolver is using, the request ID number, if the cache is even targeted by the DNS resolver in the first place, etc.
If you are truly worried about becoming the victim of DNS cache poisoning, there are ways to check if you are at risk of becoming a victim of such attacks. Alternatively, there are also tools to help you find out if you are experiencing DNS leaks, which is when your DNS server is leaking your IP information. Either way, a heads-up would help you prepare and upgrade your security.
Other than preparing, there really isn’t much that can be done until a more secure form of DNS becomes mainstream, such as DNSSEC, which requires verification for a DNS request.