DNS cache poisoning, also known as DNS cache spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones. One of the reasons DNS poisoning is so dangerous is because it can spread from the DNS server to another DNS server.
Let’s find out more about DNS cache poisoning. When you need to surf the internet you need to type the URL (Uniform Resource Locator) of the website into your web browser. If you need to visit our website techdevv.com you need to type our web address as www.techdevv.com. If you need to go facebook, you need to type www.facebook.com in your web browser. But did you know the computers don’t know the letters as you know? They only know the numbers as we called IP address. (Internet Protocol address)
Every website (webserver) has a unique IP address like your home has. We can’t remember every IP addresses to visit them. In that case domain names help us to surf every website that we need to visit.
When we enter a domain name with letters, DNS service helps a web browser to identify the IP address of the domain name. There are DNS servers to help with the web browser.
What is the DNS cache
DNS servers have a large amount of DNS name records & IP address records. They know which domain name is right for which IP address like your phonebook exists. When you enter a URL address into your web browser, The web browser asks the IP address from the DNS server. Then the DNS server gives the IP address of that website to your web browser & now you can land your requested website. Once you visit a website the computer saves the IP address & not going to ask the IP address from the DNS server anymore. When you need to visit the above website again web browser directly connects with the IP address which already saved in DNS cache memory. It’s faster than asking the IP address every time from the DNS server. It helps to reduce a step. Asking the IP address every time from the web server reduces the speed of internet surfing. The computer always saves the IP address of the visited websites. This called DNS cache. You can find out which IP address saved in your computer by entering ipconfig/displaydns on command prompt or power shell your windows pc.
If a website changes their hosting service, The IP address is also been changed. At the moment the if a web browser used DNS cache to load the requested website you may have to go a wrong website. So your web browser doesn’t forget to update their DNS cache. It depends on the TTL value. (time to live)
DNS servers have a DNS cache too
DNS servers are also computers like our computers. It has a DNS cache too. When they get a request for the IP address of a website, They search for the IP address from their databases & gives the IP address as an answer. They update their DNS information from other DNS servers as our computers do. They store these data as cache memory like our computers do. Soo DNS servers also have a DNS cache.
There are so many paid DNS providers & free DNS service providers. Such as
The google inc have 220.127.116.11 (free)
Cloudfire have 18.104.22.168 (free)
Open DNS 208.67. 222.222, 208.67. 220.220 (free)
When we don’t use such a free DNS service we always surf the internet with the DNS service that the internet service provider (ISP) gives us.
It may be low speed than above top-level DNS services.
How hackers poison the DNS cache
When a computer uses outdated or poisoned DNS cache to load the requested webpage by your browser, you may have to go to a wrong website. DNS cache update depends on the TTL value. Hackers can change these TTL values using malware. Then DNS cache doesn’t update with the DNS server & Hackers can give you a wrong webpage for your requested webpage. This can be also called as pishing.
For this process, hackers can use malware. They can edit the IP address of the DNS cache on your computer. This process is called DNS POISON or DNS SPOOFING. If you visit such a website, You might not be able to identify the fake website from the real one & you might enter the passwords on the webpage.
Even DNS Servers are in danger
DNS servers have a DNS cache as I said before. If a hacker could be access to a DNS server computer there will be a really big problem because a lot of computers depend on the DNS Cache of the DNS server computer. If the DNS server infected like this it can be affected by a lot of computers & all the computers will access the wrong websites for the requested website.
If another DNS server computer requests an unknown IP address from this server, It also gets the wrong information & gets infected too. So DNS Poisoning/spoofing is a really big problem.
This is not a logical process. It has happened worldwide in the past few years.
Can we survive from DNS poisoning?
In this case, The major role should be played by the maintains team of the server. They can take a lot of actions to avoid DNS poisoning. Such as
- Update DNS settings
- Bind DNS
- Check DNS settings daily
- Stopping DNS requests by USING port 53
- Use RNDC keys
If you feel any doubt that you are infected, You Can take the following actions
- manually check the host files on your computer (In windows – go to C:\Windows\System32\drivers\etc\hosts | In Mac OS go to /etc/hosts) Check the IP addresses in host file with the original IP addresses that you already know.
- You can Clean the DNS cache memory – ( In windows enter ipconfig /flushdns in command prompt or power shell – In ubuntu enter sudo /etc/init.d/dns-clean restart or sudo /etc/init.d/networking force-reload )
- You can use top level official DNS services Such as Google DNS or Cloudflare DNS
Thank you for reading – Stay tuned with us – Have a good day