Cache Poisoning: All You Need To Know

DNS (Domain Name System) poisoning, also referred to as DNS spoofing, is a worrying concern for today’s internet users. It locates and exploits vulnerabilities in a DNS. When successful, it redirects traffic from a legitimate server to one provided by the attacker. A victim ends up losing crucial data through this process. 

Cache poisoning affects internet users across every sphere. Thus, apart from individual internet users, corporations are also vulnerable as long as they use internet systems. It is thus important to learn as much as possible about the process, how it works and how to evade the challenges that come with it. This article summarizes all you need to know about cache poisoning and directs you on the best practices to employ to stay in the clear of such attacks.

Terms Associated with Cache Poisoning

Before we dive right into explaining cache poisoning and how it works, there are some terms that you ought to know. They will frequently recur throughout the discussion here. Hence, a preliminary explanation of them helps you understand what cache poisoning itself is. 

Domain

Domain is the text that you input in when trying to access a website. It is usually in the form of www.xyz.com. The text is not what locates the website – the IP address is. However, domains are easier to recall than IP addresses. 

IP (Internet Protocol) Address

An IP address is a string of numbers that identify specific computers and servers. It is like a specific house address. When you input a domain, take it to be that you are looking for a specific address. An IP is the corresponding string of numbers that locate the exact place you want to head to.

DNS (Domain Name System)

This system traces a domain to the corresponding IP address. When you input a domain, the DNS unravels it and directs your traffic to the appropriate destination. 

DNS Servers

This refers to the servers in the DNS resolving process. There are four: root name servers, top-level domain (TLD) name servers, resolving name servers, and the authoritative name server. 

DNS Resolving

As mentioned earlier, DNS servers keep a directory of domain names that they translate to IP addresses. Thus, when you type in a domain name, the DNS converts it to an IP address that your computer can interpret. The resolving name server, also known as the recursive resolver, is responsible for the resolving process of the DNS. This go-between is necessary because it is almost impossible for humans to remember the IP addresses for different sites. On the other hand, computers and internet devices generally cannot interpret domain names; they rather work with IP addresses. 

A DNS resolver saves (caches) information relating to servers and IP addresses. Imagine this to be like writing down room numbers in a directory. Caching responses to IP queries is important because it speeds up the process. However, this leaves room for cache poisoning. In the next section, we will go into that fully. 

What is Cache Poisoning?

DNS cache poisoning occurs where information found in the DNS caches gets modified by a bad actor. Thus, when a user types in a domain name and an IP query gets initiated, the corrupt information in the cache will be sent back. The modification of the DNS cache could lead to a situation where a user inputs the right domain name but gets redirected to the wrong IP address. The cached information can exist there until it would ordinarily expire or until someone manually removes the cached information. 

DNS cache poisoning occurs because the DNS resolving process uses  User Datagram Protocol (UDP) instead of TCP (Transmission Control Protocol). Unlike the TCP, the UDP does not require parties to initiate a handshake or verify their identities while using the network. Hence, an attacker could infiltrate a communication channel, pretend to send information from a legitimate server, and then corrupt the subsequent response. When a DNS resolver receives information, it saves it without having to verify it. That is the route through which corrupt DNS data can exist in a cache. 

DNS cache poisoning can be quite difficult to accomplish. For instance, an attacker must know the exact port the DNS resolver is using, the request ID number, and the authoritative nameserver the query will go to. However, this eventually makes it hard to detect and address DNS cache poisonings when they occur. 

Types of Cache Poisoning Attacks

Cache poisoning takes several models. Some of them include: 

DNS Server Hijack

This is pretty self-explanatory. Here, the attacker hijacks the DNS server and redirects all requests to any website of their choosing. Thus, any IP address verification coming to the DNS is redirected to the fake website.

Man-in-the-middle Duping

Here, the attacker steps in and infiltrates the communication between a web browser and a DNS server. In this case, the attacker modifies the information sent across both ends, leading to cache poisoning on both the originating device and the DNS server. After that, the bad actor creates their fake site. As a result, every traffic from the compromised device gets sent to the attacker’s site instead of the regular DNS server.

Vulnerabilities of Cache Poisoning Attacks

DNS cache poisoning can affect you and your security in a variety of ways. Some of the most common vulnerabilities include: 

Censorship

Many countries implement censorship against their citizens. Hence, the authorities prescribe what is permitted for citizens or visitors to access within the country. This is usually the case with authoritative and despotic regimes. 

Countries that implement restrictions sometimes use a variation of  DNS caching. Here, they modify the DNS to ensure that all the websites citizens access within the country are the ones approved by the authorities. One common example is the system employed by the Chinese authorities and dubbed the Great Chinese Firewall. 

Malware Infection

This is the most prominent use of cache poisoning. When you get redirected to a different website than the one you intended, you could end up at a site infected with malware. Attackers typically employ drive-by download attacks in these instances. A drive-by download attack occurs where malicious programs and software get downloaded to your device without your permission. 

Hence, by simply visiting the malicious website, you could unknowingly download items that may corrupt your other files. In addition, you could become suspect to other attacks such as keylogger attacks, spyware, and even trojans.  

Halting Security Updates

Security updates of your device can be disrupted if you experience a cache poisoning attack. This is especially when an Internet Service Provider (ISP) is a victim of the attack. 

Ways to Avoid/Prevent Attacks

One of the most dangerous things about DNS cache poisoning is its propensity to spread quickly. If one DNS server gets poisoned, it will spread the “poison” to other DNS servers and routers around it. Computers that carry out DNS queries on that particular server will also get infected. The problem can only be resolved if the misinformation is detected and eliminated. 

As mentioned, detection of cache poisoning is often not very straightforward. You may rather want to prevent the attacks from happening in the first place. The suggestions below factor in both DNS server operators and individual internet browsers.

Security Tips for Website Owners and DNS Server Providers:

Website Owners and DNS Server Providers can implement the following strategies:

1. First, use only the most recent version of the DNS. This is because a recent version will have updated security features to prevent cache poisoning. 

2. Configure your DNS server to only store information relating to a specific query or domain. That way, only permitted services will run on the server, limiting the possibility of a hijack. 

3. Furthermore, limit DNS server relationships with other DNS servers. Again, this can curtail the spread of cache poisoning if any DNS server close to you gets compromised. Unfortunately, you may be unable to configure your DNS server to perform this function by yourself, so you may want to employ the services of an IT professional. 

Security Tips for EndPoint/Individual Users

Endpoint users can implement the following best practices:

1. Use a VPN: Using a VPN (Virtual Private Network) is a surefire way to stay protected while using the internet. A VPN encrypts your traffic and provides a secure tunnel for your traffic to follow. Most VPN providers have private and secure DNS servers that use end-to-end encryption technologies. 

2. Flush Your DNS Cache: Cache poisoning will not resolve itself. You have to clean it out yourself. iOS, macOS, and Android devices all have different flushing techniques. 

3. Do not click on unknown URLs. It does not matter whether this comes in an email, text message, or not. Instead, you should always type in unfamiliar websites in full in your search bar, that is, after you have run a cursory security check to confirm their authenticity. 

4. Regularly scan your device for malware of all sorts. Unfortunately, this will not get rid of the cache poisoning itself. However, it will eliminate any other infection that could have come because of the cache poisoning. Do understand that existing malware can also lead to DNS spoofing. Thus, eliminating them is a win-win all around. 

Conclusion

DNS cache poisoning is one of the online threats internet users have to be mindful of. This article looks at what it means when it occurs and various ways of preventing it from arising. Hopefully, at this point, you have all the information you need.