Principle and Defense of DNS Cache Poisoning Attack

Principle and Defense of DNS Cache Poisoning Attack

1. Attack Description
DNS Cache Poisoning is an attack method where attackers inject forged DNS records into a DNS resolver, causing it to cache incorrect mappings between domain names and IP addresses. When users visit the poisoned domain, they are redirected to malicious servers, potentially leading to phishing attacks, malware distribution, and other risks.

2. DNS Fundamentals Review

  • DNS Function: Translates domain names (e.g., www.example.com) into IP addresses (e.g., 93.184.216.34).
  • Recursive Resolver: User devices typically send queries to a recursive resolver (e.g., ISP DNS). If the resolver's cache lacks the record, it queries authoritative servers, such as root name servers and top-level domain (TLD) servers, step by step.
  • Key Fields:
    • Query ID (16-bit): An identifier matching requests and responses.
    • Source Port: The random port used by the resolver to send queries.

3. Detailed Attack Principle
Step 1: Attacker Triggers Recursive Resolver Query
The attacker sends a query for a malicious domain (e.g., evil.com) to the target recursive resolver, forcing the resolver to request the authoritative server.

Step 2: Forge DNS Response
While the resolver awaits the authoritative server's response, the attacker forges a large number of fake responses, attempting to meet the following conditions:

  1. Match Query ID: The Query ID in the forged response must match the random ID generated by the resolver.
  2. Match Source Port: The UDP source port in the forged response must match the port used by the resolver to send the query.
  3. Match Query Domain: The domain name in the forged response must exactly match the domain queried by the resolver.

Step 3: Compete with Authoritative Server Response
The forged response must be accepted by the resolver before the legitimate response from the authoritative server arrives. Since the UDP protocol lacks a handshake process, the resolver accepts the first arriving response with a valid format.

Step 4: Poison the Cache
If the forged response wins, the resolver caches the incorrect IP record (e.g., mapping www.example.com to an attacker-controlled IP). Subsequent user queries for that domain will be redirected to the malicious IP.

4. Attack Challenges and Enhancement Methods

  • Traditional Attack Challenges:
    • The Query ID is only 16 bits, allowing for at most 65,536 possibilities, but attackers can send batches of forged responses to cover all possible IDs.
    • Source port randomization increases the difficulty of cracking (port range: 0~65535).
  • Kaminsky Attack (2008):
    • The attacker first queries a non-existent subdomain (e.g., a1b2c3.example.com), simultaneously forging an authoritative response for that subdomain and adding forged NS records for example.com.
    • If successful, the resolver caches the incorrect authoritative server address for example.com, leading to the hijacking of all subdomain resolutions.

5. Defense Measures

  1. DNSSEC (DNS Security Extensions):
    • Uses digital signatures to verify the authenticity of DNS responses, preventing forgery.
    • Drawback: Complex deployment requires support from both authoritative servers and recursive resolvers.
  2. Enhanced Randomization:
    • Uses a wider range of random source ports (e.g., 0~65535) to increase the attacker's guessing difficulty.
  3. Reduce Cache Sensitivity:
    • Be cautious when caching responses for non-existent domains and avoid accepting additional records (e.g., restrict NS record caching).
  4. Operational Strategies:
    • Configure recursive resolvers to trust only specific authoritative servers.
    • Disable recursive queries from external sources to reduce the attack surface.

6. Practical Impact
Successful poisoning can lead to large-scale user redirection to malicious websites. Combined with SSL stripping attacks, it can bypass HTTPS protection. Therefore, DNSSEC and strict randomization strategies are core defense measures.