Code on a screen and a security lock

What is DNS cache poisoning?

DNS cache poisoning is a form of DNS spoofing and refers to attacks that attempt to insert manipulated entries into the DNS cache of name servers. By doing so, attackers tamper with the assignment between domain names and their matching IP addresses, directing internet users to a fake and usually malicious website when they access the domain.

Sequence of a DNS cache poisoning attack

01

A definition of DNS cache poisoning

In cache poisoning, cybercriminals abuse the way Domain Name Systems (DNS) work to lure unsuspecting internet users to fake websites and steal their login credentials and other sensitive information. In a figurative sense, the DNS acts as the telephone book of the internet and defines the assignment of domain names to the IP addresses of web servers. The correct assignment is stored in the DNS entries, which are provided by name servers worldwide and temporarily cached locally on routers and computers. If attackers succeed in corrupting one of these name servers via security vulnerabilities and are able to inject fake entries, they also end up in the cache of every server, router, and device that requests the affected domain from the name server. The DNS cache is now “poisoned” and redirects internet users to the website specified by the attackers. The latter is usually aimed at stealing login credentials or distributing malware.

02

What makes DNS cache poisoning so dangerous?

Depending on the name server on which the cache was tampered with, there is a risk that the fake entries will be quickly distributed far and wide on the internet. If, for example, a name server is affected which provides multiple Internet Service Providers (ISPs) with its information, the malicious DNS entries will quickly find their way to all of the ISPs’ customers. The problem can only be solved by restoring the correct entries to all affected caches.

03

What impact does DNS cache poisoning have on businesses?

Cybercriminals can use cache poisoning to target the customers of individual companies and services. Such attacks have serious consequences for the companies involved:

Operating losses

Customers are kept away from their platform and are unable to make purchases. If abuse is caused by stolen access credentials, additional costs are incurred, as the number of refunds increases, for instance.

Image loss

Although the problem usually does not lie with the affected companies themselves, attacks using cache poisoning do have an impact on their image. For customers it makes no difference who is actually responsible. They directly attribute the data breach to the provider’s lack of digital competence.

Data manipulation and misuse

If customer data is corrupted as a result of cache poisoning attacks, this can also result in major losses. Especially if tampering remains undiscovered for a long time, high follow-up losses threaten to occur—sometimes for the time-consuming job of cleaning of the data.

Login mask

04

What are appropriate protective measures against DNS cache poisoning?

A number of measures and solutions are suitable for protecting DNS name resolution from tampering by cache poisoning. For example, DNS queries can be protected by using DNS cookies that ensure the authenticity and integrity of clients, servers, and the data transferred between them. The implementation of DNSSEC technology also promises protection against cache poisoning, but is cumbersome in practice and entails other weaknesses. For example, cybercriminals can exploit DNSSEC to intensify DDoS attacks.

05

What you need to know about cache poisoning

Cybercriminals use cache poisoning to redirect traffic to other web servers without being noticed. To do this, they exploit vulnerabilities to tamper with the DNS entries of name servers, which are then loaded into the cache of requesting servers and devices. Internet users then end up on the website created by the hackers when they enter a domain in their web browser. These are mostly phishing websites designed to intercept login credentials and other sensitive information. Such fake portals can also be used to spread malware.

To defend against cache poisoning attacks, name servers can be outfitted with DNS extensions such as DNS cookies or DNSSEC, which are used for authentication and integrity checks of clients, servers, and data. These technologies make cache poisoning considerably more difficult for attackers.

The Myra Secure DNS supports the use of DNS cookies and DNSSEC to protect against cache poisoning.