Imagine a huge bunch of keys tagged with their associated correct locks🔐. Now the culprit rushes and shuffles the key tags intentionally and leaves the room. The manager will put a hell of a lot of effort but won’t get lucky in finding the key for a particular lock just because the tags are mismatched. Let’s relate this with DNS poisoning.
Domain Name Server (DNS) cache poisoning is an attack in which altered DNS records are used to redirect online traffic to a malicious website that resembles its intended destination. Here, locks are the IP addresses and tags are the DNS records. We won’t be able to open the lock until we attach the correct key. Same like this, traffic will be redirected to the wrong place until DNS records are inaccurate.
How does DNS caching work?
DNS resolver basically helps in converting IP addresses to domain names. We, humans, are much more familiar with domain names rather than confusing IP addresses. A DNS resolver will store the request queries for a certain amount of time (TTL –Time to Live). This is how the resolver will be able to serve the request more quickly without communicating further with other DNS networks.
How is DNS poisoning done?
Attackers poison the DNS records by impersonating the nameservers and alters the reply for that query. Hence, the user will get totally unexpected result and the result will also be stored in the DNS cache records. And if DNS resolver fetches the wrong entry, there is no legitimate source to verify that value.
The Great Firewall of China is an example of DNS poisoning on a very large scale. One of the primary methods of query filtering that the GFW relies on is DNS response poisoning. When a query is poisoned by the GFW, the infected result is returned. This is applied to the caches as well.
Such activities can be prevented by a concept named DNSSES which is meant for DNS level security and simply verifies the queries and results.