Header Ads

DNS Poisoning Attack

Okay a little introduction in advance, what is DNS Poisoning ?
DNS spoofing, commonly referred to as DNS Cache Poisoning, is a form of computer security hacking where corrupt Domain Name System (DNS) data is inserted into the DNS resolver cache, causing the Name Server to return an incorrect record of results, eg. IP address. This results in traffic being routed to the attacker's computer (or other computer).

Overview of the domain name system

A domain name Server System translates human-readable domain names (such as suicide-db.com) into numeric IP addresses used to route communication between nodes. Usually if the server does not know the requested translation, it will ask another server, and the process continues recursively. To improve performance, the server typically will remember (cache) this translation for a certain period of time. This means that if it receives another request for the same translation, it can reply without needing to ask another server, until the cache expires.

When the DNS server receives a fake translation and saves it for performance optimization, it is considered toxic, and it supplies false data to the client. If the DNS server is poisoned, it may return an incorrect IP address, redirecting traffic to another computer (often an attacker).

Cache poisoning attacks

Normally, a networked computer uses a DNS server provided by an Internet service provider (ISP) or the computer user's organization. DNS servers are used in an organization's network to improve resolution response performance by caching previously obtained query results. Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or those serviced indirectly by its downstream server(s) if applicable.

To perform a cache poisoning attack, the attacker exploits flaws in the DNS software. A server should correctly validate DNS responses to ensure that they are from an authoritative source (for example by using DNSSEC); otherwise the server might end up caching the incorrect entries locally and serve them to other users that make the same request.

This attack can be used to redirect users from a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server and replaces them with the IP address of a server under their control. The attacker then creates files on the server under their control with names matching those on the target server. These files usually contain malicious content, such as computer worms or viruses. A user whose computer has referenced the poisoned DNS server gets tricked into accepting content coming from a non-authentic server and unknowingly downloads the malicious content. This technique can also be used for phishing attacks, where a fake version of a genuine website is created to gather personal details such as bank and credit/debit card details.


In the following variants, the entries for the server ns.suicide-db.com would be poisoned and redirected to the attacker's name server at IP address These attacks assume that the name server for suicide-db.com is ns.suicide-db.com.

To accomplish the attacks, the attacker must force the target DNS server to make a request for a domain controlled by one of the attacker's nameservers.

Redirect the target domain's name server

The first variant of DNS cache poisoning involves redirecting the name server of the attacker's domain to the name server of the target domain, then assigning that name server an IP address specified by the attacker.

DNS server's request : what are the address records for subdomain.attacker.com?

A vulnerable server would cache the additional A-record (IP address) for ns.target.example, allowing the attacker to resolve queries to the entire suicide-db.com domain.

Redirect the NS record to another target domain

The second variant of DNS cache poisoning involves redirecting the nameserver of another domain unrelated to the original request to an IP address specified by the attacker.[citation needed]

DNS server's request: what are the address records for subdomain.attacker.com?

A vulnerable server would cache the unrelated authority information for target.example's NS-record (nameserver entry), allowing the attacker to resolve queries to the entire suicide-db.comdomain.

No comments