Interesting info on DNS poisoning

How does DNS get poisoned?

There are a few steps to go through before a DNS server starts redirecting Web surfers to bogus sites.

Most people's PCs access a DNS server at an Internet service provider or within a company to map text-based Internet addresses to actual IP addresses. One DNS server can be used by thousands of Internet users.

For performance reasons, DNS servers cache the returned data, so that it takes less time to respond to the next request. When a DNS cache is poisoned, it affects all future lookups of the affected domain, for everyone who uses that particular DNS server.

To poison a DNS server:
* First, the target machine has to be tricked into querying a malicious DNS server set up by the attacker. This can be done, for example, by sending an e-mail message to a nonexistent user at the target ISP. Another way is to send an e-mail with an externally hosted image to an actual user.

* The target DNS server will then query the attacker's DNS server. In the DNS reply, the scammer includes extra data that will poison the victim's DNS cache. The extra information can be a malicious URL or even an entire domain space, such as .com.

* If the target DNS server is not configured properly, it will accept the new numerical IP listing and delete the proper entry.

* Once this has occurred, any queries sent to the DNS server for the affected URLs will be redirected to the replacement IP addresses set by the attacker. If a domain space is poisoned, all queries ending in that domain will be redirected.

Source: SANS Internet Storm Center, CNET News.com
Leave A Reply
All content licensed under the Creative Commons License