DNS (Domain Name System) servers are domain servers that take the domain names that we entered and provide us with IP addresses. Modifying the DNS record could send someone to an IP address that they were not expecting. It’s less common now but it still does happen.

Why is DNS poisoning so dangerous?

The user is not clicking on a link that takes them to a separate website. The victim types in a correct domain name, like medium.com, and is instead directed to the attacker’s website. The attacker can then take whatever information they want, as long as the user doesn’t see anything wrong with it.

There are a few places that the attacker can get into, so even if your network is protected, it can still be infiltrated since the hacker could have poisoned the DNS record on the DNS server outside of your network.

How does DNS work?

This is a typical example of how a DNS server works.

• A user types in a domain name, like medium.com.
• The computer that the user is on is checked to see if the domain has been resolved. This is stored in the local cache.
• If it doesn’t find the domain name resolution on the user’s computer, it will check with the router. The router does have a DNS server as well.
• If it doesn’t find the domain name resolution on the router (home or business), it will check with a domain DNS server, like .com.
• The domain DNS server will direct the traffic to another DNS server that knows how to resolve the domain name.
• The IP address is sent back to the domain DNS server.
• The domain DNS server sends back the IP address to the router.
• The router stores the IP address in the routing table and sends the IP address back to the user.
• The user’s machine stores the IP address in its host table.

How does DNS poisoning work?

One method is to modify the client’s host file. The host file lives on the user’s computer. The host file takes precedence over the DNS queries so if a hacker had access to this file, they could direct that user to whichever IP address they wanted.

This is a very targeted attack since it would require the hacker to change the contents of the host file on each computer. That is why hackers prefer to change the records of the DNS server, which means that the hacker would have control of the DNS server itself.

So how does that work? The regular flow of events, simply speaking, is as follows:

• A user on the network types in a URL in their browser.
• The browser sends that request to a DNS server.
• The DNS server returns the IP address that’s stored in the server to the user.
• The user is directed to the legitimate website.

What about a poisoned DNS server? The hacker would have accessed the DNS server and changed the IP address for one or more of the records.

• The user on the network types in a URL in their browser.
• The browser sends that request to the DNS server.
• The DNS server returns the poisoned IP address that’s stored in the server to the user.
• The user is directed to the hacker’s website.

How does DNS cache poisoning (spoofing) work?

When a DNS server receives a translation of the domain name to an IP address, it will cache this information. Cache will expire at a certain point as is defined by the TTL (Time to Leave) field. Once the TTL expires, the resolution process needs to repeat. That means that once cached, it’ll take some time before it expires.

So how does it work? The hacker makes a request to the DNS server. While the DNS server is waiting for the authoritative nameserver to respond, the hacker pretends that they’re the authoritative nameserver and sends the IP address that the DNS server was expecting. The DNS server accepts the IP and caches it, making all legitimate requests redirected to the newly cached malicious site.

Solutions

The reason why it’s even possible to poison it is because the DNS servers use UDP. UDP (User Datagram Protocol) is vulnerable since there’s no check in place to see if the sender is legitimate, or whether the connection is open and the recipient is ready to receive the data.

Implementing DNSSEC (DNS Security Protocol) is the way to protect against DNS cache poisoning.

Another measure that should be implemented is to adjust the TTL to expire sooner. This way, the cache is refreshed sooner than later.

Summary

DNS poisoning is huge in censorship. Governments can poison the cache of the DNS server and can direct traffic to wherever they like. Definitely a scary one.