DNS Cache Poisoning - The Security Skeptic

01/17/2010 05:07:58 PM

Originally posted 26 Apr 2003

A cache is a local store of information (or munitions). Security researchers and practitioners have demonstrated that the trust relationship on which DNS relies is weak, and an attacker can inject false information into the local cache of a DNS resolver that’s caching DNS response messages. By doing so, the attacker substitute domain name/IP address bindings of his choice for the legitimate ones in DNS reply messages. This is called “poisoning” the DNS, and poisoned name server databases can be used for a variety of attacks.

A Concise Definition for DNS Cache Poisoning

Christopher Schuba described the basic name spoofing attack in his master’s thesis from Purdue in 1993. It’s succinct and correct. I’ll reproduce it here:

“Many security problems of the TCP/IP protocol suite rely on the ability of the attacker to spoof the IP address of a trusted machine, as described in [Bel89]. As hosts trust each other, usually on the basis of host names, an attacker can take the easier approach and spoof a host’s name instead of its IP address.

“If a host named H_A accesses another host named NS_A, host NS_A accepts the connection and retrieves address information about the connecting host H_A. Host NS_A reads host H_A‘s IP address and converts it into a regular host name. To bind the right name to the IP address, host NS_A starts a Domain Name System query in the reverse lookup tree.

“For a pair of machines NS_B and H_B under the power of an attacker, with NS_B running a primary name server for a certain zone, and H_B trying to fake H_A‘s identity, it is easy to make NS_A believe H_B was H_A. H_B connects to NS_A and claims to be H_A, NS_A retrieves H_B‘s IP address 111.22.33.4 and queries the name 4.33.22.111.in-addr.arpa from the Domain Name System. One single entry in the authoritative data for the reverse lookup tree for NS_B‘s zone specifes the IP address-to-name mapping between 4.33.22.111.in-addr.arpa and H_B. If the attacker replaces this line by a mapping between 4.33.22.111.in-addr.arpa and H_A, NS_A‘s resolution attempt will finally grant H_B access to NSA.”

Attacks that Exploit Cache Poisoning

You can find a recent, decent read that explains current attacks against DNS cache (including the Birthday Attack) and recommended countermeasures at SecurityFocus.com. The article is DNS Cache Poisoning: The Next Generation, by Joe Stewart.

In 2008, Dan Kaminsky discovered a flaw in the DNS protocol that could be exploited to poison the DNS cache on most name servers deployed at that time.

DNS OARC has a test you can run to check if your nameserver is vulnerable to this attack. DNS Security Extensions (DNSSEC) mitigate cache poisoning threats.