DNS spoofing

from Wikipedia, the free encyclopedia

DNS spoofing , also known as DNS cache poisoning , is a form of hacking in which incorrect domain name system entries are entered in the cache of the DNS resolver, through which the name server returns an incorrect answer, e.g. . B. an incorrect IP address. This leads to the data traffic being redirected to the attacker's computer (or another computer) ( man-in-the-middle attack ). The direct translation of DNS Cache Poisoning means poisoning the DNS cache.

Overview of the Domain Name System

DNS works in a similar way to directory inquiries. The user knows the domain (the name of a computer on the Internet that people can remember) - for example example.org. It sends this as a request on the Internet. The domain is then converted by the DNS into the associated IP address (the "connection number" in the Internet) - for example an IPv4 address of the form 192.0.2.42or an IPv6 address such as 2001:db8:85a3:8d3:1319:8a2e:370:7347, and thus leads to the correct computer. If the DNS server does not know the requested translation, it asks another server. So the process continues recursively. To increase performance, the servers store the translations in their cache for a certain period of time. This means that if the server receives the same request for a translation, as long as the cache does not expire, it will be able to carry out the request without contacting another server.

If the DNS server receives an incorrect translation and stores it temporarily due to the optimization of performance, it is said to be poisoned . The server also forwards the incorrect information to the clients. If a DNS cache is poisoned, it will return an incorrect IP address that will redirect traffic to another computer, possibly that of an attacker.

DNS cache poisoning attacks

Typically, a computer connected to the Internet uses its Internet Service Provider (ISP) DNS server or a corporate network DNS. DNS servers are used in corporate networks for faster name resolution, especially since they cache previous requests. Attacks using DNS cache poisoning on a single DNS server can occur directly from the affected server or indirectly from its downstream servers, where further questions are asked about the name resolution.

In order to carry out an attack with DNS cache poisoning, the attacker usually uses vulnerabilities in the DNS software, so-called exploits . A DNS server should actually validate the correctness of the DNS resolution to ensure that the data is from an authorized source. This can e.g. B. done by using DNSSEC ; otherwise the server can temporarily store the wrong data locally and even answer new queries from other users with wrong data.

This type of attack can be used to direct a user from the actual website to the attacker's website. z. For example, an attacker can replace the DNS entries, i.e. the IP address, of a website on a selected DNS server with the IP address of a web server that the attacker has brought under his control. The attacker also creates files on his web server that correspond to those of the original web server. These files or links usually contain malicious content , such as B. a computer worm or a computer virus . A user who arrives at a website via a poisoned DNS server will now have no hesitation in trusting any malicious software that they would not have accepted from an unknown website. This attack technique can also be used for phishing attacks , in which one tries to convince the user to enter personal data such as eg. B. Enter bank information or credit card details.

variants

In the following variants, the entries for the server are changed using DNS cache poisoning and the user is redirected to the attacker's server . These attacks require that the DNS server corresponds for the server . ns.target.examplew.x.y.ztarget.examplens.target.example

To successfully carry out the attack, the attacker must get the DNS server to make a request for a domain that the attacker controls.

Redirection to the DNS server of the target domain

The first variant of DNS cache poisoning consists in redirecting the DNS server of the attacking domain to the DNS server of the target domain and then assigning an IP address selected by the attacker to this DNS server.

DNS server query: What are the addresses of subdomain.attacker.example? 

subdomain.attacker.example. IN A

Reply of the attacker: 

Answer:
(no response)

Authority section:
attacker.example. 3600 IN NS ns.target.example.

Additional section:
ns.target.example. IN A w.x.y.z

A vulnerable DNS server would cache the additional A record (IP address) ns.target.exampleso that the attacker target.examplecan resolve queries to the entire domain .

Redirection of the NS entry to another target domain

The second variant of DNS cache poisoning consists in redirecting the name server of another domain, which has nothing to do with the user's request, to an IP address selected by the attacker.

DNS server query: What are the addresses of subdomain.attacker.example? 

subdomain.attacker.example. IN A

Reply of the attacker: 

Answer:
(no response)

Authority section:
target.example. 3600 IN NS ns.attacker.example.

Additional section:
ns.attacker.example. IN A w.x.y.z

A vulnerable server would cache the unrelated authoritative information for the NS entry of target.example(name server entry) so that the attacker target.examplecan resolve requests to the entire domain .

Prevention and mitigation of the attack scenario

Many DNS cache poisoning attacks can be prevented by less trusting the information from other DNS servers and ignoring records that have nothing to do with the query. For example, BIND versions above 9.5.0-P1 perform checks: a random port for DNS queries from the query server, combined with cryptographically secure random numbers to select the source port and the nonce . This can greatly reduce the likelihood of queries to DNS servers (race condition).

However, if routers, firewalls, proxies and other gateways, a network address translation perform (NAT), or more precisely a network port translation, you must rewrite the source port to monitors to the connection status. As a result, PAT can cancel out this randomness again.

Secure DNS ( DNSSEC ) secures the transmission of resource records through digital signatures . DNSSEC can withstand DNS cache poisoning attacks.

This type of attack can be countered on the transport layer or application layer by means of end-to-end validation after the connection has been established. A common example of this is the use of Transport Layer Security and digital signatures . One example is using HTTPS . This allows users to verify that the server's digital certificate is valid and belongs to the actual owner of the website.

Individual evidence

  1. The Hitchhiker's Guide to DNS Cache Poisoning , Cornell University .