Home / Industry

DNS-Based Threats: Cache Poisoning

The Domain Name System (DNS) is the cornerstone of communication for the internet. Navigating to the sites you access every day often starts with a DNS request. Cybercriminals recognize the value of DNS and may look for ways to abuse improperly secured DNS to compromise its uptime, integrity or overall response efficacy — which makes DNS an important area for enforcing security and protecting against threats.

One such threat: cache poisoning

When a DNS request is made, the query is routed to a recursive name server. If the domain name navigation information is cached, the recursive name server sends the response directly back to the user with the appropriate information, so they can go to the intended destination. If the information is not present in the cache, the recursive name server queries other DNS servers to find the information needed to answer the original query.

Cybercriminals understand how to manipulate DNS caching and may take advantage of unsecured servers through cache poisoning. Cache poisoning can occur when a cybercriminal sends fake (spoofed) DNS responses to a target recursive name server (resolver), pretending they came from an authoritative name server, a forwarder, or even a recursive name server to a client stub. When malicious information is cached on the recursive name server, the names on the server are considered "poisoned."

Cybercriminals use cache poisoning to redirect traffic to fraudulent websites and other unintended destinations. Cache poisoning is considered dangerous because it does not require significant bandwidth, processing resources, or technical expertise to execute, and an attacker doesn't need to be in the data path to launch cache poisoning attacks. Furthermore, a fraudulent address can reside on a recursive name server for hours, days or weeks before it is discovered.

When a poisoned cache connects an unsuspecting user or device to a fraudulent site, cybercriminals can do a variety of things such as, obtain sensitive data and other confidential information, steal user credentials and passwords, eavesdrop on communications, plant malicious software or display images and text that defame a legitimate brand or provide misleading information.

One solution to address cache poisoning is the implementation of DNS security extensions (DNSSEC). DNSSEC is the main security mechanism that protects the integrity of DNS records and helps safeguard the end-to-end integrity and authenticity of DNS responses.

As DNS attacks grow in frequency and impact, organizations can no longer afford to overlook DNS security as part of their overall defense-in-depth strategy. As with IT security in general, no single tactic can address the entire DNS threat landscape or secure the complete DNS ecosystem. The key is to assess risks, identify security gaps and develop a plan to strengthen the security of both your inbound and outbound DNS.

For more information on the importance of DNS in the security ecosystem, and considerations for securing DNS in your organization with DNSSEC and other solutions, please download our free white paper, "Framework for Resilient DNS Security," here.

Verisign

About Verisign – Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world's most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains and two of the internet's root servers, as well as performs the root-zone maintainer functions for the core of the internet's Domain Name System (DNS). Visit Page

SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign