DNS Cache Poisoning Attack

What is DNS?

DNS(Domain Name Service) is a service that runs on all of our computers. DNS converts the domain names to the allocated IP addresses sp the browsers can connect to internet resources. We actually access websites or web applications through domain names, for example, facebook.com, twitter.com, etc.

All the devices connected to the Internet has a unique IP address. These addresses get used to finding the device or the server over the Internet. DNS servers memorize the specified IP address allocated to specific domain names. This eliminates our need to specify the IP address of a specific server or a device in order to access it.

How DNS works?

DNS resolution is converting the domain name such as example.com into an IP address that a computer would understand. For example, 192.168.1.1, 84.49.21.10, etc. When a user types the URL into the web browser, the translation occurs and the server gets located. The DNS works in the background and has nothing to do with the user’s interaction.

Suppose from your computer you want to access google.com. Your computer doesn’t know where the server is. All it knows is the domain name you have put in the URL of your browser. Then the computer will access the ISP (Internet Service Provider) for accessing google.com. Now, the ISP server has some cached stuff that we can look up. Because if someone is been to google.com lately then that server will know the IP address and send the information back to us. But let us assume that it doesn’t have cached up google.com.

So now, the DNS query goes to the recursive DNS resolver. This is basically a server that responds to the recursive requests from the client to track down the DNS records. This recursive meaning it makes a series of requests until it finds the authoritative DNS server. This server holds actual DNS records. In recursive DNS server doesn’t always have to make recursive requests in order to find the authoritative DNS server. The reason for this is caching. It is a data persistence step that caches the previous requests in DNS lookup.

DNS Cache Poisoning

DNS cache poisoning is essentially a flow in DNS where an attacker could inject a malicious IP address into a name server. The attacker could change the destination IP address for different name servers. Suppose if the recursive server sends a request with 1000 as its ID. While this request is going out with this ID, an attacker has an opportunity to send back a different response with a query ID of 1000 to a different server. This server might have malware or some other malicious content to gather sensitive information. Now what happens is this attacking machine or server sends a stream of multiple responses to the request with an ID of 1000. For example, if the name server is google.com but the attacker machine sends a response that says it’s google.com.

For this to work, the query ID should be correct. And also the response should be reached to the victim before the actual name server responds to the request. The recursive servers work on the principle that each ID is incremented after a certain request is processed. So for example, if the request ID is 1000 then the next request ID is 1001, 1002, and so on. The attacker uses this principle and spams multiple responses to the request and the requests which follow after that. So not only the response of a specific name server is changed. But also it is cached in the ISP server or the recursive DNS server which is going to be valid for 20 days.

Post Exploitation

After the malicious response, the IP address is sent back to the victim. The attacker can do several things in order to hack the victim. For example, sending malware that gives a reverse shell or a backdoor to the attacking computer. Or hosting a web application login screen and sniff the credentials on the attacking server. And then redirect that request to the original web server. This attack is a classic phishing attack. The attacker can also serve the victim ransomware or a botnet.

To mitigate this attack, the DNS servers have randomized the request IDs and also the source ports in which we get back a response.

Leave a Comment

Your email address will not be published. Required fields are marked *