Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.
What is DNS cache poisoning?
DNS cache poisoning, also known as a DNS spoofing attack, is a type of cyberattack in which users attempting to visit a legitimate website are redirected to a completely different site, usually for malicious purposes. When a user enters the name of a website in a web browser, DNS resolvers provide the IP address, enabling the right website to load. By altering or replacing the data stored in a DNS resolver’s cache memory, attackers can send users to fake or malicious sites to steal their credentials or personal data.
What is DNS?
DNS translates human-readable website addresses like example.com into machine-readable IP addresses. This system enables users to navigate the web without needing to remember long strings of meaningless numbers for each website.
DNS uses several types of domain nameservers. Authoritative nameservers store the official records for specific domains. Recursive DNS servers or resolvers field the initial requests from users and query authoritative DNS servers if necessary.
What is DNS caching?
To enable faster DNS responses, recursive servers store information from previous requests in a local cache, allowing the information to be retrieved faster on subsequent requests.
How DNS cache poisoning works?
In a DNS cache poisoning attack, threat actors use a variety of techniques to replace the legitimate addresses within a DNS cache with fake DNS addresses. When users attempt to visit a legitimate site, the DNS resolver returns the false address in its cache, hijacking the browser session and sending the user to a fake or malicious website.
How do threat actors poison a DNS cache?
Attackers may directly hijack a DNS server to redirect traffic from legitimate sites to malicious IP addresses. Hackers may also use malware that alters the DNS cache in a browser when users click on malicious links. Alternately, threat actors may use a “machine-in-the-middle attack” to position themselves between a browser and a DNS server to route requests to a malicious IP address.
How do attackers benefit from DNS cache poisoning?
Many attackers use cache poisoning to execute phishing campaigns, setting up fake websites that look identical to the site a user is trying to visit. When the user enters login credentials or sensitive information on the site, attackers can use this data to access the user’s account and steal money or data or launch larger attacks.
Why are cache poisoning attacks effective?
Because it was designed to accurately return results to queries rather than question their motives, DNS is a fundamentally insecure protocol. Additionally, DNS traffic can often pass through firewalls without inspection, making it an attractive attack vector for hackers.
What is cache poisoning vs. DNS spoofing?
While the terms DNS cache poisoning and DNS spoofing are often used interchangeably, some suggest that poisoning is an attack method and spoofing is the end result. In other words, attackers use DNS cache poisoning to achieve DNS spoofing.
How can DNS cache poisoning be detected?
The telltale signs of a DNS cache poisoning attack are a single, unexpected drop in web traffic or large changes in DNS activity on a domain. It’s difficult to detect DNS cache poisoning manually — deploying automated DNS security tools is the most effective way to detect these attacks.
How can DNS cache poisoning be prevented?
Organizations can prevent DNS poisoning by following several cybersecurity best practices.
- Adopt DNSSEC. Domain Name System Security Extensions (DNSSEC) offer a way of verifying the integrity of DNS data. DNSSEC uses public key cryptography to verify and authenticate data.
- Regularly update and patch DNS software. Establishing an optimal cadence for updating and patching DNS applications reduces the chance that attackers can exploit known or zero-day vulnerabilities.
- Adopt HTTPS for DNS traffic. DNS over HTTPS (DoH) encrypts DNS traffic by passing inquiries through an HTTPS encrypted session to improve privacy and hide DNS queries from view.
- Use a Zero Trust approach when configuring DNS servers. The principles of Zero Trust require that all users, devices, applications, and requests are considered compromised unless they are authenticated and continuously validated. DNS is a valuable Zero Trust control point where every internet address can be scanned for potentially malicious behavior.
- Choose a fast and DoS-resistant DNS resolver. Cache poisoning attacks rely on delayed DNS server responses, so a fast resolver can help to prevent successful attacks. The DNS resolver must have built-in cache poisoning controls as well. Major ISPs and DNS providers have the scale to absorb DDoS attacks.