What is a DNS poisoning attack?
A DNS poisoning attack, also known as a DNS spoofing attack, is when attackers infiltrate the DNS query process to redirect users to fake websites. These fake websites are run by the attacker and can often look remarkably like the real thing, luring unsuspecting users to enter highly sensitive data, like credit card numbers and login credentials, or inadvertently download viruses and other forms of malware.
This type of attack is considered a DNS cache poisoning because the illegitimate IP address lives in the cache of the server. Attackers can even manipulate the TTL so that their fake websites live in the cache beyond the typical cache lifespan of a few hours. The risk involved with cache poisoning goes beyond the DNS server that was originally infected. Any DNS server that queries the infected server and receives the imitation IP address for a specific website is at risk.
For example, if a DNS server starts unknowingly directing its customers to a fake banking website using a scam IP address it picked up, other DNS servers who pick up the IP address of the bank from the poisoned DNS server will also receive the corrupted address, thus exposing their customers to the attackers.
Can DNS be hacked?
Your DNS server is considered hacked when an attacker has found their way into your router and gained control of your DNS settings. This is known as a form of man-in-the-middle attack and can happen if a user unknowingly downloads malware.
A hacker with control of your DNS settings is able to manipulate your system so that, instead of querying secure DNS servers, it queries the hacker’s server and leads you to a host of imitation sites. Similar to DNS poisoning, this can lead users to unwittingly put their banking details or login and password credentials in the hands of attackers.
A hacker with control of your DNS settings also has the ability to redirect users to fake sites that convince the user they have downloaded a virus, even if they actually haven’t, and trick them into buying the hacker’s software to remove it. The scariest part about all of this? By the time a user realizes their DNS server has been compromised by an attacker, it’s often too late.
How does a DNS attack work?
Attackers prey on DNS vulnerabilities and take advantage of the constant communication between DNS servers to execute an attack. The goal of a DNS attack is to direct users to an IP address of the hacker’s choosing. Sometimes it’s to an imitation website, as is the case of DNS spoofing. Other times it’s to a targeted website that the attacker knows is unprepared to handle a large, sudden increase in traffic. This unexpected onslaught of visitors causes the targeted website to crash—a form of a distributed denial of service (DDoS) attack.
There are a number of ways an attacker can find their way into your DNS system, including:
- Forged Responses: Attackers will often develop imposter DNS servers that attempt to submit the IP address of a fake website in response to a query before a legitimate DNS server has the opportunity to do so. If their address is accepted first, the user is then led to the hacker’s server and imitation websites.
- Weak Passwords: A U.K. study of 2,205 people found that a shocking 82% had never changed the default password on their wireless router. The use of default password, or passwords with little-to-no variation, including numbers, unique characters, and letters, provide attackers the opportunity to easily crack into a router and gain access to the DNS server.
- Spam Emails: Attackers will send spam emails laden with fear-inducing language designed to manipulate users into clicking on certain URLs. When these infected URLs are clicked it allows the hacker to infect the system with a code that sends the DNS server to untrustworthy websites.
- Banner Ads and Images: Just like in spam emails, an attacker can use fake banner ads and images on websites to trick users into clicking on them, thus opening the door for DNS poisoning to occur.
Protecting against a DNS attack
There are a number of DNS security best practices out there to help you ward off attackers and keep your customers’ systems safe and secure. Since DNS servers are in constant communication with one another, the more companies that implement these best practices, the greater protection there is as a whole. Here are the most important steps you should be taking to prevent DNS poisoning:
- Security Extensions: The Internet Engineering Task Force (IETF) developed DNS Security Extensions (DNSSEC) to address security threats against DNS. This is widely considered one of the greatest measures of defense out there. DNSSEC relies on digital signatures and complex encryption methods to verify the validity and authenticity of a DNS request.
- Active Monitoring: It’s important to monitor DNS data and keep an eye out for new patterns, like the appearance of a new external host, that could indicate the presence of an attacker.
- Patches: DNS servers are subject to vulnerabilities. Staying on top of the latest patches can safeguard against attackers looking to exploit these well-known vulnerabilities.
- DNS Updates: Updated versions of DNS come equipped with port randomization and cryptographically secure transaction IDs to help prevent against DNS attackers. Always make sure the server you are using is up to date.
- Password Policies: Convincing your customers to implement password protection policies is of utmost importance. A weak router password could put every device and user within their company in jeopardy.
- HTTPS Indicators: The HTTPS indicator should be in the browser address bar at all times. This lets you know that the site is valid. If the appearance of the HTTPS indicator is in flux, it could signal the beginning of an attack.
DNS poisoning, man-in-the-middle schemes, and DDoS tactics are just a few of the many DNS attacks out there. It’s important to stay on top of these cybersecurity threats and the latest risk-mitigation techniques.
For more information and insight into other forms of attack, visit our blog.