This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.

1. DNS Cache Poisoning
Christopher Grayson

2. What is DNS?
• As per Wikipedia –
▫ “The Domain Name System (DNS) is a hierarchical
distributed naming system for computers, services, or
any resource connected to the Internet or a private
network. It associates various information with
domain names assigned to each of the participating
entities. Most prominently, it translates domain names
meaningful for users to the numerical IP addresses
needed for the purpose of locating computer services
and devices worldwide. By providing a worldwide,
distributed keyword-based redirection service, the
Domain Name System is an essential component of
the functionality of the Internet.”

3. What is DNS?
• In layman’s terms, DNS is the glue that maps a
domain name to an IP address.
• When you open up a browser and type in
“Google.com” and Google’s web page comes up,
“Google.com” has successfully been mapped to
74.125.137.113 (or one of their other servers)
through DNS.
• DNS is very insecure.

4. What is DNS?
Image courtesy of Wikipedia.org

5. What is the DNS cache?
• In order to reduce the load on nameservers, DNS
servers implement caching.
• When a DNS response comes back to an
intermediate DNS server, it is returned with a field
labeled TTL (for Time to Live). This indicates how
long the DNS server should cache this response.
• So long as the response is cached, subsequent
queries to that nameserver for the same domain will
be returned with the values in the cache. The
response will be purged once the TTL is met.

6. What is DNS cache poisoning?
• It is the act of getting your own values into a
DNS server’s cache for a domain that you do not
own.
• There are many points at which DNS can be
exploited, but this one has one of the biggest pay
offs.
• If the IP address of your choosing is cached in a
nameserver, all sequential queries for the
poisoned domain will be given it.

7. Why poison a cache?
• To continue entrenching yourself in a network,
one of the things you will likely have to do is get
computers you DON’T have access to to contact
a machine that you DO have access to.
• For instance – man-in-the-middle traffic and
implant reverse shells in any requests for PDF
files that come through.
• Firewalls tend to be more prohibitive towards
things originating from OUTSIDE a network
than from INSIDE.

8. How is DNS attacked?
• When attacking a local machine, the HOSTS file
is edited to have the desired routing effects.
• When attacking a remote machine, DNS
responses are forged and (hopefully) accepted as
true by the target machine.

9. How can a DNS response be poisoned?
• Response arrives on same UDP port from which
corresponding request was sent.
• The question section of the response matches
that of the corresponding request.
• The query ID of the response matches that of the
corresponding request.
• The authority and additional sections represent
names that are within the same domain as the
question.

10. Where can DNS be attacked?
• If you have access to the machine you’d like to
poison, you can attack it locally.

11. Where can DNS be attacked?

12. Where can DNS be attacked?
• Between an end-user and a nameserver.
• This (typically) requires being able to inject
traffic into a local area network, which requires
access to that local area network.

13. Where can DNS be attacked?

14. Where can DNS be attacked?
• Between two nameservers in the DNS hierarchy.
• Until the Kaminsky attack, required being able
to inject traffic into a network local to the target
nameserver.

15. Where can DNS be attacked?

16. The Kaminsky Attack
• Until the Kaminsky attack surfaced, the notion
of poisoning a DNS cache was regarded as not
that big of an issue, as an attacker would need to
get lucky in terms of cache expiration.
• The Kaminsky attack effectively rid us of the
caching issue, thus making remote DNS cache
poisoning much, much easier.
• For a more detailed guide to the Kaminsky
attack - http://unixwiz.net/techtips/iguide-
kaminsky-dns-vuln.html

17. The Kaminsky Attack
Image courtesy of
Unixwiz.net

18. Defenses against DNS cache poisoning
• Query ID randomization
• Port randomization
• 0x20 encoding – randomly capitalizing
characters in the question fields gives added
entropy to check against for throwing out invalid
packets
• All of these are hacks!

19. DNSSEC
• DNSSEC is the official response to securing DNS.
• It’s been around for a while but is not widely
implemented.
• Changes to the internet take a long time to be
adopted!
• Uses asymmetric cryptography for authentication
between endpoints (signing).
• What do we know about the overhead of asymmetric
cryptography?
• Wikipedia has a great article on DNSSEC

20. Try it yourself!
• With virtual machines you can set up your own
DNS server, a client machine, and an attacker
machine and try poisoning the DNS server’s
cache on your own!
• http://www.cis.syr.edu/~wedu/seed/lab_env.ht
ml
• DO NOT DO THIS TO MACHINES YOU DO
NOT OWN
• DO NOT DO THIS TO MACHINES YOU DO
NOT OWN