• United States

How to protect your infrastructure from DNS cache poisoning

Aug 16, 20186 mins

When your company’s internet access, VoIP and email all depend on DNS, you have to ensure your DNS server is protected against DNS spoofing attacks. One solution: DNSSEC.

network security primary2
Credit: Thinkstock

Domain Name System (DNS) is our root of trust and is one of the most critical components of the internet. It is a mission-critical service because if it goes down, a business’s web presence goes down.

DNS is a virtual database of names and numbers. It serves as the backbone for other services critical to organizations. This includes email, internet site access, voice over internet protocol (VoIP), and the management of files.

You hope that when you type a domain name that you are really going where you are supposed to go. DNS vulnerabilities do not get much attention until an actual attack occurs and makes the news. For example, in April 2018, public DNS servers that managed the domain for Myetherwallet were hijacked and customers were redirected to a phishing site. Many users reported losing funds out of their account, and this brought a lot of public attention to DNS vulnerabilities.

The fact that DNS has been around for a long time contributes to its security problems. By design, it is an open service on the network that is not properly monitored and for which a traditional security solutions cannot protect efficiently.

What is DNS cache poisoning?

DNS servers have vulnerabilities that attackers can exploit in order to take them over. DNS cache poisoning attacks is one of the most popular attack methods of hackers.

When the attacker has control of a DNS server they can modify the cache information; this is DNS poisoning.The code for DNS cache poisoning is often found in URLs sent via spam or phishing emails. These emails attempt to alert users to an event that requires immediate attention, which requires the clicking on the supplied URL, which in turn infects their computer. Banner ads and images are often used to redirect users to these infected sites.

The attacker could then control where you go when you try to access a financial site or any other site by redirecting you to a fake site. The attacker can send you to a page that launches a script that can download malware, key loggers, or worms to your device.

DNS servers access the caches of other DNS servers, and this is how it spreads — and potentially on a very large scale.

Risks of DNS cache poisoning

The primary risk with DNS poisoning is the theft of data. Hospitals, financial institution sites, and online retailers are popular targets and easily spoofed, which means that any password, credit card, or other personal information may be compromised. Also, the risk of having a key logger installed on your device could cause other sites that you visit to have their usernames and passwords be exposed.

Another significant risk is if an internet security provider’s site is spoofed, then a user’s computer may be exposed to additional threats such as viruses or Trojans, due to the fact that legitimate security updates will not be performed.

According to EfficientIP, the yearly average costs of DNS attacks is $2.236 million, and 23 percent of the attacks were from DNS cache poisoning.

Prevent DNS cache poisoning attacks

There are several measures organization should take to prevent DNS cache poisoning attacks. One is that DNS servers should be configured to rely as less as possible on trust relationships with other DNS servers. Configuring it this way will make it much more difficult for an attacker to use their own DNS server to corrupt a targeted server.

Another measure that should be taken is that the DNS server should be set up so that only services that are required are ones that are allowed to run. Having additional services that are not required running on a DNS server just increases the attack vector size.

Security staff should also make sure that the most current version of DNS is being used. Newer version of BIND have features such as cryptographically secure transaction IDs and port randomization, which can help prevent cache poisoning attacks.

End user education is also very important in preventing these attacks. End users should receive training on identifying suspicious sites and to not click the “ignore” button if they receive an SSL warning before connecting to a site. They should also be consistently educated on identifying phishing emails or phishing via social media accounts.

Other measures that should be taken to prevent cache poisoning attacks are to only store data related to the requested domain and to restrict your responses to only provide information about the requested domain.

DNSSEC as a solution

Cache poisoning tools are available to help organizations prevent these attacks. The most widely used cache poisoning prevention tool is DNSSEC (Domain Name System Security Extension). It was developed by the Internet Engineering Task Force and provides secure DNS data authentication.

When deployed, computers will be able to confirm if DNS responses are legitimate, whereas it currently has no way of determining real or fake ones. It also has the ability to verify that a domain name does not exist at all, which can help prevent man in the middle attacks.

DNSSEC will verify the root domain or sometimes called “signing the root.” When an end user attempts to access a site, a stub resolver on their computer requests the site’s IP address from a recursive name server. After the record is requested by the server, it will also request the zones DNSEC key. The key will then be used to verify that the IP address record is the same as the record on the authoritative server.

Next, the recursive name server would verify that the address record came from the authoritative name server. It would then verify if has been modified and resolves the correct domain source. If there has been a modification to the source, then the recursive name server will not allow the connection to occur to the site.

DNSSEC is becoming more prevalent. Many government institutions and financial organizations are making DNSSEC a requirement, as issuing unsigned zones ignores a DNS weakness and leaves your systems open to various spoofing attacks. It is important for organizations to consider deploying it to protect their data.


Mark Dargin is an experienced network and security architect/leader. He has over 18 years of experience designing, managing, and securing complex WAN and LAN infrastructures for large and medium-sized organizations.

Mark’s experience includes leading and managing large scale compliance and risk management initiatives and programs. He is a member of the Michigan Cybersecurity Civilian Corps., a rapid response team of experienced IT security volunteers who will assist the state and industries during major cybersecurity incidents. He is also a graduate of the FBI citizen’s academy in Detroit and a member of InfraGard.

  Mark holds a bachelor’s degree in Business Management and Communications from the University of Michigan-Dearborn and a master’s degree in Business Information Technology from Walsh College in Troy, Michigan. He recently completed the Advanced Computer Security Certificate program at Stanford University. Mark holds various active certifications, including the CISSP (Certified Information Systems Security Professional), CCNP (Cisco Certified Network Professional), PMP (Project Management Professional), GIAC GMON (Continuous Monitoring & Security Operations), CCSA (Checkpoint Certified Security Administrator) and ITIL (Information Technology Infrastructure Library).