DNS poisoning is a situation created where a malicious or unwanted data is pushed from a Domain Name Server’s cache. Technically it is more dangerous than IP Spoofing and Session Hijack as it will appear to the end user that he/she is directed to the right website. We explained why Recursive DNS Should Not be Used to Access Cloud Platform. DNS Poisoning can happen due to inappropriate software configuration, lack of rightly configured name servers and maliciously designed scenarios exploiting the traditionally open architecture of a DNS system – which includes our usage of Recursive DNS.
Once a DNS server has received those unauthenticated data and stores it temporarily to further increases in performance, once it is considered to be poisoned, it can extend the effect of the situation to clients server. DNS Spoofing is a variant of DNS Poisoning but usually taken as equivalent – reason of such usage is unknown.
Basics of DNS Poisoning or DNS Spoofing
Normally, a computer connected to the Internet uses a DNS server provided by the Internet service provider (ISP). This usually serves only Guest DNS and contains a small amount of information temporarily stored by previous DNS servers. An attack of poisoning can affect the users directly by the compromised or indirectly dependent servers server.
To perform a cache poisoning attack, the attacker exploits a vulnerability in the DNS software that can make it accept incorrect information. If the server does not validate DNS responses to ensure that they come from an authoritative source correctly, the server may terminate to depend on locally stored incorrect information and sending the users to do the request.
This technique can be used to arbitrarily replacing content of a number of victims with content selected by an attacker. For example, an attacker poisons the DNS entries of IP addresses for a website with a goal, replacing them with the IP address of a server he controls. Then, the attacker creates fake entries for files on the server that he controls with names that match the target file server. These files may contain malicious content, such as a virus or worm. A user whose computer has referenced the poisoned DNS server can be fooled to believing that the content comes from the target server and unknowingly download malicious content.
---
Known Methods of DNS Poisoning or DNS Spoofing
Normally we use dig command to find the details of a server :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
? ~ dig https://thecustomizewindows.com ; <<>> DiG 9.8.3-P1 <<>> https://thecustomizewindows.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21317 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;https://thecustomizewindows.com. IN A ;; AUTHORITY SECTION: com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1400435427 1800 900 604800 86400 ;; Query time: 143 msec ;; SERVER: 220.226.6.104#53(220.226.6.104) ;; WHEN: Sun May 18 23:20:52 2014 ;; MSG SIZE rcvd: 121 ? ~ dig thecustomizewindows.com ; <<>> DiG 9.8.3-P1 <<>> thecustomizewindows.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63950 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;thecustomizewindows.com. IN A ;; ANSWER SECTION: thecustomizewindows.com. 111111 IN A 192.237.225.97 ;; AUTHORITY SECTION: thecustomizewindows.com. 158516 IN NS dns2.stabletransit.com. thecustomizewindows.com. 158516 IN NS ns2.rackspace.com. thecustomizewindows.com. 158516 IN NS ns.rackspace.com. thecustomizewindows.com. 158516 IN NS dns1.stabletransit.com. ;; ADDITIONAL SECTION: ns.rackspace.com. 46915 IN A 69.20.95.4 ns2.rackspace.com. 31862 IN A 65.61.188.4 dns1.stabletransit.com. 39993 IN A 69.20.95.4 dns2.stabletransit.com. 59473 IN A 65.61.188.4 ;; Query time: 490 msec ;; SERVER: 220.226.6.104#53(220.226.6.104) ;; WHEN: Sun May 18 23:21:19 2014 ;; MSG SIZE rcvd: 218 |
We are getting headers from gtld-servers.net and verisign-grs.com in the first case with http appended.
This setup is done by Rackspace to prevent such DNS Poisoning. We are using Rackspace Cloud DNS, obviously they will arrange some ways to prevent the poisoning in case all of the their data centers fails due to a high global attack.
Thankfully, methods of DNS Poisoning are limited in number :
Redirect the domain name server : The first variant of DNS cache poisoning involves redirecting the attacker’s name server for the domain name server to the target domain, then that server name is assigned an IP address specified by the attacker. This is very common while using bad or average quality Web Hosts with huge shared servers.
You can test with Hostgator, Bluehost with name server to change the target server and test with webpagetest from various regions – abnormal pages will appear. We never noticed this with Rackspace, Amazon, Red Hat, Heroku, Server Beach etc. setup. We believe, after a time of a running website, this exploit is applied by the attackers and lower quality host possibly do not spend the money behind the fail safe method. The way to get protected is to use a cloud dns like CloudFlare like we described before.
Redirect to another domain’s DNS record : The second variant of DNS cache poisoning involves redirecting the name server of another domain to another domain unrelated to the original request for an IP address specified by the attacker.
Common if the DNS of the domain is set to a NS but there is no server. Right now, at the time of writing, abhishekghosh.pro is not online but NS is pointing towards Rackspace from domain registerer. If someone spins up a server on Rackspace, obviously it will catch all, taking the fact – no DNS software is intervening it. I should keep a cloud dns record and point towards own server, even if the server is for another website. This will throw http error but will save from a common cheat.
Reply before actual name server responds : The third variant of DNS cache poisoning, which actually called DNS spoofing (or DNS Forgery) involves making a delay in the actual response to a query from recursive DNS to the DNS server. DNS queries containing an ID number of 16 bits, they are used to identify the responses associated with a given response. If the attacker can successfully predict the value of said identification number and return the first response, the server will accept the attacker as a valid response. If the server randomizes the source port response, the attack will become more difficult, because the false answer must be sent by the same port from which the query originated. Sending a number of simultaneous DNS requests to the server to force it to send more recursive queries, the probability of successfully predicting one of the ID numbers increases. This modification is a form of birthday attack.
Tagged With dig dns nstld verisign-grs com , nxdomain dns poisoning , paperuri:(5cf12e621f6813b07528b77677ba7cb6) , what is dns posioning