What is DNS Cache Poisoning and DNS Spoofing?

DNS Spoofing and Poisoning Definition

Domain Name System (DNS) poisoning and spoofing are types of cyberattack that exploit DNS server vulnerabilities to divert traffic away from legitimate servers towards fake ones. Once you’ve traveled to a fraudulent page, you may be puzzled on how to resolve it — despite being the only one who can. You’ll need to know exactly how it works to protect yourself.

DNS spoofing and by extension, DNS cache poisoning are among the more deceptive cyberthreats. Without understanding how the internet connects you to websites, you may be deceived into thinking a website itself is hacked. In some cases, it may just be your device. Even worse, cybersecurity suites can only stop some of the DNS spoof-related threats.

What is a DNS and What is a DNS Server?

You might be wondering, “what is a DNS?” To reiterate, DNS stands for “domain name system.” But before we explain DNS servers, it’s important to clarify the terms involved with this topic.

An Internet Protocol (IP) address is the number string ID name for each unique computer and server. These IDs are what computers use to locate and “talk” to each other.

A domain is a text name that humans use to remember, identify, and connect to specific website servers. For example, a domain like “www.example.com” is used as an easy way to understand the actual target server ID — i.e. an IP address.

A domain name system (DNS) is used to translate the domain into the corresponding IP address.

Domain name system servers (DNS servers) are a collective of four server types that compose the DNS lookup process. They include the resolving name server, root name servers, top-level domain (TLD) name servers, and authoritative name servers. For simplicity, we’ll only detail the specifics on the resolver server.

Resolving name server (or recursive resolver) is the translating component of the DNS lookup process residing in your operating system. It is designed to ask — i.e. query — a series of web servers for the target IP address of a domain name.

Now that we’ve established a DNS definition and general understanding of DNS, we can explore how DNS lookup works.

How DNS Lookup Works

When you search for a website via domain name, DNS does the following:

1. Your web browser and operating system (OS) attempt to recall the IP address attached to the domain name. If visited previously, the IP address can be recalled from the computer’s internal storage, or the memory cache.
2. The process continues if neither component knows where the destination IP address is.
3. The OS queries the resolving name server for the IP address. This query starts the search through a chain of servers to find the matching IP for the domain.
4. Ultimately, the resolver will find and deliver the IP address to the OS, which passes it back to the web browser.

The DNS lookup process is the vital framework used by the entire internet. Unfortunately, criminals can abuse vulnerabilities in DNS meaning you’ll need to be aware of possible redirects. To help you, let’s explain what DNS spoofing is and how it works.

How DNS Cache Poisoning and Spoofing Works

In regard to DNS, the most prominent threats are two-fold:

1. DNS spoofing is the resulting threat which mimics legitimate server destinations to redirect a domain’s traffic. Unsuspecting victims end up on malicious websites, which is the goal that results from various methods of DNS spoofing attacks.
2. DNS cache poisoning is a user-end method of DNS spoofing, in which your system logs the fraudulent IP address in your local memory cache. This leads the DNS to recall the bad site specifically for you, even if the issue gets resolved or never existed on the server-end.

Methods for DNS Spoofing or Cache Poisoning Attacks

Among the various methods for DNS spoof attacks, these are some of the more common:

Man-in-the-middle duping: Where an attacker steps between your web browser and the DNS server to infect both. A tool is used for a simultaneous cache poisoning on your local device, and server poisoning on the DNS server. The result is a redirect to a malicious site hosted on the attacker’s own local server.

DNS server hijack: The criminal directly reconfigures the server to direct all requesting users to the malicious website. Once a fraudulent DNS entry is injected onto the DNS server, any IP request for the spoofed domain will result in the fake site.

DNS cache poisoning via spam: The code for DNS cache poisoning is often found in URLs sent via spam emails. These emails attempt to frighten users into clicking on the supplied URL, which in turn infects their computer. Banner ads and images — both in emails and untrustworthy websites — can also direct users to this code. Once poisoned, your computer will take you to fake websites that are spoofed to look like the real thing. This is where the true threats are introduced to your devices.

Risks of DNS Poisoning and Spoofing

DNS spoofing poses several risks, each putting your devices and personal data in harm’s way.

Data theft can be particularly lucrative for DNS spoof attackers. Banking websites and popular online retailers are easily spoofed, meaning any password, credit card or personal information may be compromised. The redirects would be phishing websites designed to collect your info.

Malware infection is yet another common threat with DNS spoofing. With a spoof redirecting you, the destination could end up being a site infested with malicious downloads. Drive by downloads are an easy way to automate the infection of your system. Ultimately if you’re not using internet security, you’re exposed to risks like spyware, keyloggers or worms.

Halted security updates can result from a DNS spoof. If spoofed sites include internet security providers, legitimate security updates will not be performed. As a result, your computer may be exposed to additional threats such as viruses or Trojans.

Censorship is a risk that is actually commonplace in some parts of the world. For example, China uses modifications to the DNS to ensure all websites viewed within the country are approved. This nation-level block, dubbed the Great Firewall, is one example of how powerful DNS spoofing can be.

Specifically, eliminating DNS cache poisoning is difficult. Since cleaning an infected server does not rid a desktop or mobile device of the problem, the device will return to the spoofed site. Furthermore, clean desktops connecting to an infected server will be compromised again.

How to Prevent DNS Cache Poisoning and Spoofing

When looking to prevent DNS spoofing, user-end protections are limited. Website owners and server providers are a bit more empowered to protect themselves and their users. To appropriately keep everyone safe, both parties must try to avoid spoofs.

Prevention Tips for Website Owners and DNS Server Providers

As a website owner or DNS server provider, the responsibility to defend users is firmly in your hands. You can implement various protective tools and protocols to keep threats out. Among these resources, you would be wise to use some of the following:

1. DNS spoofing detection tools: As an equivalent of endpoint user security products, these detection tools proactively scan all data received before sending it out.
2. Domain name system security extensions (DNSSEC): Essentially a DNS “verified real” label, the DNSSEC system helps keep DNS lookup authentic and spoof-free.
3. End-to-end encryption: Encrypted data sent for DNS requests and replies keeps criminals out as they won’t be able to duplicate the unique security certificate for the legitimate website.

Prevention Tips for Endpoint Users

Users are particularly vulnerable in these to avoid being a victim of a DNS poisoning attack, you should follow these simple tips:

1. Never click on a link you don't recognize. This includes email, text messages, or links in social media. Tools that shorten URLs can further mask link destinations, so avoid those as much as possible. To be especially safe, always opt to manually enter a URL into your address bar. But only do so after you’ve confirmed that it is official and legitimate.
2. Regularly scan your computer for malware. While you may not be able to detect DNS cache poisoning, your security software will help you uncover and remove any secondary infections. Since spoofed sites can deliver all types of malicious programs, you should always be scanning for viruses, spyware, and other hidden issues. The inverse is also possible, as malware could deliver spoofs. Always do so using a local program rather than a hosted version, since poisoning could spoof web-based results.
3. Flush your DNS cache to solve poisoning if necessary. Cache poisoning stays within your system for the long-term unless you clean out the infected data. This process can be as simple as opening the Windows “Run” program and typing “ ipconfig /flushdns” as your command. Mac, iOS, and Android also have flush options. These are usually found in a “network settings reset” option, toggling airplane mode, via device reboot, or in a specific native web browser URL. Look up your specific device’s method for guidance.
4. Use a virtual private network (VPN). These services give you an encrypted tunnel for all your web traffic and use of private DNS servers that exclusively use end-to-end encrypted requests. The result gives you servers that are far more resilient against DNS spoofing, and requests that can’t be interrupted.

Don’t leave yourself vulnerable to DNS spoofing and malware attacks. Protect yourself today with Kaspersky Security Cloud — available for both Windows PC and Mac iOS.

Related articles:

• What is Botnet?
• Infographic: Vulnerable Software
• Social Engineering Threats
• Top 10 Most Notorious Hackers of All Time
• Mobile Malware Threats to Watch out for!