CAPEC-142 - DNS Cache Poisoning

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An attacker modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the attacker specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Attackers can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation

Medium level: To overwrite/modify targeted DNS cache

A DNS cache must be vulnerable to some attack that allows the attacker to replace addresses in its lookup table.

Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions.

The attacker must have the resources to modify the targeted cache. In addition, in most cases the attacker will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the attackers' goals.

Step 1 - Explore resolver caches

Check DNS caches on local DNS server and client's browser with DNS cache enabled..

Tecnique ID: 1 - Environment(s) env-All

Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.

Tecnique ID: 2 - Environment(s) env-All

Figure out if the client's browser has DNS cache enabled.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Found no entry in the resolver cache

Indicator ID: 2 - Environment(s) env-All

Type: Negative

The results show target DNS entry in DNS server


Security Control ID: 1

Type: Detective

Network scans can be logged in system logs. The scans may be from unknown local IP address.


Outcome ID: 1

Type: Success

A list of DNS server information. No target entry found in the resolver cache.

Outcome ID: 2

Type: Failure

The results show target DNS entry in DNS server.



Step 1 - Attempt sending crafted records to DNS cache

A request is sent to the authoritative server for target website and wait for the iterative name resolver. An attacker sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query..

Tecnique ID: 1 - Environment(s) env-CommProtocol

Attacker must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.

Tecnique ID: 2 - Environment(s) env-CommProtocol

If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives attacker enough time to guess transaction

Tecnique ID: 3 - Environment(s) env-CommProtocol

Attacker crafts DNS response with the same transaction ID as in the request. The attacker sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

DNS request that the attacker intercepts includes transaction ID.

Indicator ID: 2 - Environment(s) env-All

Type: Positive

The attacker successfully sends DNS response before authorized DNS server.

Indicator ID: 3 - Environment(s) env-All

Type: Inconclusive

Transaction ID has been randomized.

Indicator ID: 4 - Environment(s) env-All

Type: Inconclusive

The DNS server cache has recorded correct Name and IP address entry. In this case, the attacker needs to figure out a way to overwrite table entries to succeed

Indicator ID: 5 - Environment(s) env-All

Type: Inconclusive

The attacker fails to send DNS response before authorized DNS server. In this case, the attacker needs to figure out a way to overwrite table entries to succeed


Security Control ID: 1

Type: Detective

Monitor log file and see a large number of DNS responses sent from the same host. This host may be manipulated by attacker.


Outcome ID: 1

Type: Success

Any local machine that types names of the good server is redirected to a malicious server.

Outcome ID: 2

Type: Failure

Any local machine that types names of the good server is not redirected to a malicious server.



Step 1 - Redirect users to malicious website

As the attacker succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name..

Tecnique ID: 1 - Environment(s) env-Web

Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.

Tecnique ID: 2 - Environment(s) env-Web

Man-in-the-Middle intercepts secure communication between two parties.

Security Control ID: 1

Type: Preventative

Upgrade BIND. Use latest version

Security Control ID: 2

Type: Preventative

Be less trusting of the information passed to them by other DNS servers, and ignoring any DNS records passed back which are not directly relevant to the query.

Security Control ID: 3

Type: Preventative

To greatly reduce the probability of successful DNS race attacks. Use source port randomization for DNS requests, cryptographically-secure random numbers.


Outcome ID: 1

Type: Success

Any local machine that types names of the good server is redirected to a malicious server.

Outcome ID: 2

Type: Success

The attacker accepts the incoming SSL connection, decrypts it, reads all the traffic, and makes the same request via SSL to the original site.

Outcome ID: 3

Type: Failure

Any local machine that types names of the good server is not redirected to a malicious server.



Configuration: Make sure your DNS servers have been updated to the latest versions

Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.

Configuration: Disable client side DNS caching.