What Happens When Your DNS Cache Is Poisoned

Within each organization's IT structure, there are normally one or more domain name servers depending on the organization's size. This server's purpose is to translate a domain name into an IP address to order to communicate with resources in the internet. Since each domain name and IP address is unique in nature, there are no two alike so long as they are connected to the internet. As a method to improve the efficiency of the DNS server, each is set up with a cache to store translated information. The principle applied is that if a user enters a certain domain name, it is a likely chance that he will re-visit the site in the future. Hence, the cache serves to speed things up in immediately returning the translation instead of repeating it.

If the DNS software has a flaw or its server is not well managed and left vulnerable to malicious attacks, it is at risk of DNS cache poisoning. What this means is that the server may return an IP address not matching the actual one held by its domain name. As such, when a user types in a domain name, he is redirected to another domain or is left with a message stating that the server cannot be found. This is due to the IP address glitch. If an organization is supported by numerous DNS servers in a parent-child relationship, a compromised parent server puts its child servers at risk.

More often than not, the objective of poisoning the cache is to redirect users from an actual website to a spoof version. Some attackers may go to the extent of recreating near exact replicas of the actual version in order to fool unsuspecting users. Once sensitive and confidential information is captured, users are left in the lurch as their bank account or credit card details are abused. Other forms of malicious intent may include the inducement of users to execute or download computer viruses or worms into their computer systems. Once it penetrates the safety measures of corporate firewalls, these pesky applications then wreck havoc within the organization.

Once DNS cache poisoning is detected, mitigations steps need to be immediately taken. Since most unauthorized access is via unclosed back doors, it is of utmost necessity that system administrators constantly update their computer systems at server and client levels. Trust relationships defined between servers may need to be tightened to eliminate spreading of this wildfire. Although source port randomness with use of cryptography is a great method of prevention, their effectiveness may be wiped up due to the workings of other devices related to network address translation. Flushing the cache of a domain name server is also a mode of getting rid of bad DNS entries.

Category: Network