What Is DNS Cache Poisoning?

DNS cache poisoning, also known as a DNS spoofing attack, is a type of cyberattack in which users attempting to visit a legitimate website are redirected to a completely different site, usually for malicious purposes. When a user enters the name of a website in a web browser, DNS resolvers provide the IP address, enabling the right website to load. By altering or replacing the data stored in a DNS resolver’s cache memory, attackers can send users to fake or malicious sites to steal their credentials or personal data.

DNS translates human-readable website addresses like example.com into machine-readable IP addresses. This system enables users to navigate the web without needing to remember long strings of meaningless numbers for each website.

DNS uses several types of domain nameservers. Authoritative nameservers store the official records for specific domains. Recursive DNS servers or resolvers field the initial requests from users and query authoritative DNS servers if necessary.

To enable faster DNS responses, recursive servers store information from previous requests in a local cache, allowing the information to be retrieved faster on subsequent requests.

In a DNS cache poisoning attack, threat actors use a variety of techniques to replace the legitimate addresses within a DNS cache with fake DNS addresses. When users attempt to visit a legitimate site, the DNS resolver returns the false address in its cache, hijacking the browser session and sending the user to a fake or malicious website.

Attackers may directly hijack a DNS server to redirect traffic from legitimate sites to malicious IP addresses. Hackers may also use malware that alters the DNS cache in a browser when users click on malicious links. Alternately, threat actors may use a “machine-in-the-middle attack” to position themselves between a browser and a DNS server to route requests to a malicious IP address.

Many attackers use cache poisoning to execute phishing campaigns, setting up fake websites that look identical to the site a user is trying to visit. When the user enters login credentials or sensitive information on the site, attackers can use this data to access the user’s account and steal money or data or launch larger attacks.

Because it was designed to accurately return results to queries rather than question their motives, DNS is a fundamentally insecure protocol. Additionally, DNS traffic can often pass through firewalls without inspection, making it an attractive attack vector for hackers.

While the terms DNS cache poisoning and DNS spoofing are often used interchangeably, some suggest that poisoning is an attack method and spoofing is the end result. In other words, attackers use DNS cache poisoning to achieve DNS spoofing.

The telltale signs of a DNS cache poisoning attack are a single, unexpected drop in web traffic or large changes in DNS activity on a domain. It’s difficult to detect DNS cache poisoning manually — deploying automated DNS security tools is the most effective way to detect these attacks.

Organizations can prevent DNS poisoning by following several cybersecurity best practices.

• Adopt DNSSEC. Domain Name System Security Extensions (DNSSEC) offer a way of verifying the integrity of DNS data. DNSSEC uses public key cryptography to verify and authenticate data.
• Regularly update and patch DNS software. Establishing an optimal cadence for updating and patching DNS applications reduces the chance that attackers can exploit known or zero-day vulnerabilities.
• Adopt HTTPS for DNS traffic. DNS over HTTPS (DoH) encrypts DNS traffic by passing inquiries through an HTTPS encrypted session to improve privacy and hide DNS queries from view.
• Use a Zero Trust approach when configuring DNS servers. The principles of Zero Trust require that all users, devices, applications, and requests are considered compromised unless they are authenticated and continuously validated. DNS is a valuable Zero Trust control point where every internet address can be scanned for potentially malicious behavior.
• Choose a fast and DoS-resistant DNS resolver. Cache poisoning attacks rely on delayed DNS server responses, so a fast resolver can help to prevent successful attacks. The DNS resolver must have built-in cache poisoning controls as well. Major ISPs and DNS providers have the scale to absorb DDoS attacks.