International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

A Case Study Solution to DNS Cache Poisoning Attacks

Siddhant Agarwal and Sanket Pramanick 1, Nidhi Bhandari2, 3Dr. G. Usha*
Department of Software Engineering, SRM University,
Kattankulathur, Tamil Nadu 603203, India
[email protected],[email protected]

Abstract— In this paper we discuss about home routers and the DNS caches on
DNS cache poisoning attack, which computers as they look up the DNS entry,
exploits the vulnerabilities in the domain receive the incorrect response, and store
name system to divert Internet traffic it. Initially, this paper provides an
away from legitimate servers and towards introduction about DNS systems with an
fake ones. DNS converts human-readable architecture diagram. Second, this paper
addresses like “google.com” to computer- discusses about various types of case
readable IP addresses like studies in literature. Third, this paper
“173.194.67.102”. The Internet service also suggests solutions to avoid DNS
provider runs its own DNS servers, which cache poisoning attack.
cache information from other DNS
servers. The home router functions as a Keywords- DNS; DNS cache
DNS server, which caches information poisoning; DNS protection
from the ISP’s DNS servers. The 1. INTRODUCTION
computer has a local DNS cache, so it
can quickly refer to DNS lookups it’s DNS stands for “Domain Name System.”
already performed rather than Domain names are the human-readable
performing a DNS lookup over and over website addresses that are used by every
again. A DNS cache can become human in day-to-day life[1]. DNS works
poisoned if it contains an incorrect entry. transparently in the background that is
For example, if an attacker gets control used to convert human-readable website
of a DNS server and changes some of the names into computer-readable numerical
information on it, let’s say they make IP addresses. DNS suffers for various
google.com actually point to an IP types of security problems. One of the
address the attacker owns. That DNS most vulnerable problems is known as
server would tell its users to look for DNS Cache Poisoning.
Google.com at the wrong address and the
DNS Cache poisoning, also called domain
attacker’s address could contain some
name system (DNS) poisoning or DNS
sort of malicious phishing website. DNS
cache poisoning.DNS cache poisoning[2]
poisoning like this can also spread. For
is the process of corrupting an Internet
example, if various Internet service
server's domain name system table by
providers are getting their DNS
replacing an Internet address with that of
information from the compromised
another, rogue(malicious) address. When a
server, the poisoned DNS entry will
user seeks the page with that address, the
spread to the Internet service providers
request is redirected by the rogue entry in
and be cached there. It will then spread to
the table to a different address. The

ISSN(Online) : 2456-5717 91 Vol. 3, Special Issue 36, March 2017

International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

following Fig. 1 is an example for DNS the server under their control with names
cache poisoning attack. The attacker matching those on the target server. These
replaces the alternate address record in the files usually contain malicious content,
local DNS server. The home client such as computer worms or viruses. A user
forwards the Domain Name and IP whose computer has referenced the
(malicious) using HTTP Client. In this poisoned DNS server gets tricked into
way the DNS cache gets poisoned and accepting content coming from a non-
malicious packet gets forwarded from one authentic server and unknowingly
client to other client. Next we discuss downloads the malicious content. This
about the Cache Poisoning Technique in technique is used for phishing attacks.
detail. Phishing attack is a attack, that is used to
create a fake version of a genuine website
that contains personal details such as bank
and credit/debit card details.

DNS poisoning attacks are more

spreadable. For example, if various
Internet service providers are getting their
DNS information from the compromised
server, the poisoned DNS entry will spread
to the Internet service providers and be
cached there. Then the entries will spread
to home routers and the DNS caches on
Fig. 1: DNS Cache Posioning Attack Example computers as they look up the DNS entry,
receive the incorrect response, and store it.
DNS Cache Poisoning Technique In next section, we discuss about the
To perform a cache poisoning attack, the architecture of DNS technique.
attacker exploits the flaws in the DNS
software. Whenever a server wants to
validate the DNS, it validates the DNS 2. DNS ARCHITECTURE
responses to ensure that they are from an
Fig. 2 explains the architecture of DNS.
authoritative source (for example by using
DNSSEC); otherwise the server end up DNS architecture consists of two
caching the incorrect entries locally and components. They are
serve them to other users that make the
same request. But in the case of Cache  Name servers
poisoning attack, the attacker redirects the
 Resolvers.
user from a web site to other web site. The
attacker does this with the help of spoofing Name Servers:
IP addresses. An attacker spoofs the IP
address DNS entries[3] for a target website Name servers are databases that stores
on a given DNS server and replaces them information stored in it. They are more like
with the IP address of a server under their a repository. They help in answering
control. The attacker then creates files on

ISSN(Online) : 2456-5717 92 Vol. 3, Special Issue 36, March 2017

International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

queries by looking up the information they The DNS offers two mechanisms to send
already possess. and receive data between the ultimate
source and destination namely zones and
Resolver: While, resolvers act as an caching. Zones are divided into sections of
interface between the clients and the name the system-wide distributed database
servers. These resolvers comprise of the which belong to specific organizations.
algorithms required to find the information The organization of a specific zone is
queried by the client. These methods can responsible for distributing current copies
be structured of the zones to various servers which make
the zones available to clients across the
internet. Caching is a mechanism in which
data acquired in response of the client’s
request can be stored on the local server
against future requests by same or different
clients.

Fig. 2: DNS System Architecture One major operation carried out by the
name server is to respond to queries from a
according to the needs of the environment.
local or remote resolver or another name
The resolver function can either be
server acting on behalf of the name server.
centralized in one or more special name
The stub resolver is a software library
servers or be separated in hosts such as
installed on the host or PC which converts
PCs also known as a stub resolver.
a user or application request to a query to
The DNS name[4] space is the naming the DNS. A typical query means locating
system on which the DNS is based. It is a the IP address of the Uniform-Resource-
hierarchical and logical tree structure with Locator or URL inserted by the user. The
variable-depth where each node in the tree resolver will identify a locally configured
has a label. The root is reserved at the DNS server to perform the queries.
zero-depth label. Currently, the domain
name space searching operations are case Types of queries
insensitive.

Mechanisms in DNS

Recursive Iterative
Mechanisms in DNS
Queries Queries

Fig. 4: Type of Queries

Zones Caching
Recursive queries are those in which the
recipient name server will do all the
Fig. 3: Mechanisms in DNS

ISSN(Online) : 2456-5717 93 Vol. 3, Special Issue 36, March 2017

International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

working necessary to return the complete sites, the ISPs failed to give back the
response to the query. Responding to a response even if their device queries DNS
query recursively involves multiple to get the correct IP address to connect to.
transactions to the name servers and other But the flaw was that the Turkish Citizen
name server systems. Name serves could override the ban by changing their
necessarily support recursive queries. device's DNS settings to point to open
public DNS Resolvers operated by
Iterative queries are those in which if a Google. Then the Turkish ISPs started
name server has answered, it will respond blocking the addresses for Google Public
otherwise it will return useful information. DNS Servers and other similar services in
But it will not make additional queries to order to engage in the typical kind of
other name server systems. Name servers “what-a-mole” game with their citizens
must support iterative queries. The next where they found a new way to get around
section we discuss about the case study of the censorship and tried to close them
the DNS cache poisoning technique. down.

After few days, the Turkish ISPs

3. CASE STUDY started taking it to a whole new level by
hijacking the routes of Border Gateway
Recently there were disturbing reports out Protocol (BGP) and pretending as the DNS
of Turkey escalations. The Turkish Severs from the Public Google DNS itself
Government attempted to block the social and other similar services. That is, the
media like Twitter[5] and YouTube. The devices operated by Turkish Citizens who
Turkish Internet Service Providers (ISPs) tried to change the DNS settings to Public
hijacked the routes to public DNS servers Google DNS Servers were getting back to
that provide services back to the citizens. the requests from the Turkish ISPs.
In order to work effectively, the Turkish Unfortunately, the Turkish citizens were
ISPs perform a “Man-In-The- receiving wrong answers from the Turkish
Middle”(MITM) attack against their ISPs instead of what they indented to get
citizens and giving them false information. (YouTube or Twitter).
The situations gets highlighted when The
Internet Society makes a statement on the Often the DNS Servers are
subject, explaining its “deep concern” for compared to a Phone Book as it serves the
the situation, along with Chief Internet computer the address of a correct, quick,
Technology Officer describing how these secure server it’s looking for; the same
moves “represent an attack not just on way when someone tries to look up for a
DNS Infrastructure, but on the global phone number in a phone book. But
Internet routing system itself.” someone can change out the phone book
with another one, which seems pretty
When the Turkish ISPs started much the same as the former, except that
implementing the government's ban on the listings for a few contacts showed up
social media, they simply blocked the sites wrong phone numbers. That’s exactly what
in DNS Servers. Whenever a Turkish happened in this case. The Turkish ISPs
Citizen tried to access the social media

ISSN(Online) : 2456-5717 94 Vol. 3, Special Issue 36, March 2017

International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

set the servers up that masquerade as requester will know that this is an attack
Public Google DNS servers. and the packets are discarded.

As a result of it, the Turkish ISPs started DNS resolution software can be
“advertising” the more specific (wrong) implemented which acts as a poll to
route for the Public Google DNS services. multiple other DNS servers in the event
More specifically, The normal Public that the resolver running the software does
Google DNS server settings is at not have information on a particular DNS
“8.8.8.0/24”, instead, they shared the route server. Through this method, an DNS
“8.8.8.8/32” which redirected to their own servers can be known to be malicious and
network. In BGP, a network device tries to its effect is ignored. But if the attacker
connect a given IP address by selecting a gains control over more than half of the
specific route. But in this case, all the servers in DNS region, then there might be
routers on the networks were connected to chances of any security foil for DNS
Turkish ISPs in their specified false route servers.
for Public Google DNS services.
DNS servers should be less trusting of
In this way the Turkish ISPs were information passed to them by other DNS
delivering false DNS information's to the severs. Moreover, they should ignore any
Turkish citizens. This allowed the Turkish DNS records passed back which are not
ISPs to extract personal information's of directly relevant to the query. For example,
citizens very easily and this also opened some versions such as BIND 9.5.0-P1
new opportunities for the crackers to crack perform the above checks.
the personal information of the citizens of
Turkey. DNS servers can use a combination
of crypto graphical techniques to secure
random numbers for selecting both the
source ports. A 16-bit cryptographic
4. SOLUTION TO PREVENT CACHE technique can greatly reduce DNS attacks.
POISONING ATTACKS
However, various network devices
One of the most readily available defences perform Network Address Translation
against DNS attacks is to secure the attack (NAT), or Port Address Translation in
points on the network infrastructure. There specific often rewrites the source ports in
should be proper use of firewalls, and order to track the connection state. During
patches of known vulnerabilities should be the process, the PAT devices remove the
applied periodically. source port randomness implemented by
A specific technique to foil DNS the name server and stub resolver.
attacks involves randomizing source ports Cryptographic digital[7] signed with a
on the DNS requester[6]. When this trusted key certificate is used by the
technique is applied, a DNS packet that Secure DNS (DNSSEC) to determine the
does not come from a trusted source authenticity of data. DNSSEC was
(attacker) will have a approximate 1/216 employed in Internet root zone servers
chance of going to the victim and the only. But, even DNSEC can still provide

ISSN(Online) : 2456-5717 95 Vol. 3, Special Issue 36, March 2017

International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

fake data without application-layer encryption. Usage of sniff detection tools

cryptography. Mitigation to this can be and tunnelled connection which support
done at transport or application layers by IPSec is recommended.
performing end-to-end validation once a
connection is established. Transport layer In remote DNS[8][9][10] poisoning
security and digital signatures can be used occur due to negligence of victim to
to counter the DNS attacks. For instance, unknown files. It’s due to opening of
using of HTTPS connection in which the suspicious files and archives; the system is
client checks whether the server's digital compromised by Trojans and Trojan
certificate is valid and belongs to a vectoring methods.
particular expected website's owner. A DNS servers are maintained by local and
similar kind of a system can be witnessed primary DNS servers. Hence, all the DNS
in the secure shell remote login program servers should be audited regularly to
which checks digital certificates at counter flaws in the security. Its due to a
endpoints proceeding with the session. The small vulnerability can lead to breach in
system can embed a copy of the signing security of DNS servers thus leading to
certificate locally and validate the DNS attacks. For usage of DNS server,
signature stored in the software update one must provide extra layer of security
against the embedded certificate for the such as installing DNS with bind-chroot
software's that download update package.
automatically.

Organisations such as Dell and

TCP Wave have Intelligent Analyst Cache 5. CONCLUSION
Application who have watchdogs which
In this paper, we have studied about the
ensure that the DNS processes do not get a
DNS cache poisoning attack in detail. Our
cache poison by predefining the roots in
paper suggests the key contribution
the watchdogs. In this way mitigation of
provided in literature to secure DNS cache
DNS Any cast cache poisoning attacks
poisoning attack. Our paper provides the
from malicious users can be done through
DNS system architecture which describes
source randomization via BIND backed up
the deployment of DNS in an organization.
by a non-BIND DNS Server Software with
Next, our paper suggests some case study
intelligence blended into the BGP routing
related issues which are proposed in
protocol.
turkey. Finally our paper suggests some
In Intranet DNS poisoning there is solutions to avoid DNS cache poisoning
a DNS poisoning attack over a LAN due to attack. Our paper provides a roadmap in
ARP poisoning man-in-the-middle attack. the state of art to know about cache
The counter measures are to use of static poisoning attack. Our future work will
ARP and IP table, switched LAN, SSH provide solutions to prevent this DNS
cache poisoning attack.

ISSN(Online) : 2456-5717 96 Vol. 3, Special Issue 36, March 2017

International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

REFERENCES

[1] Bechtsoudis and Sklavos, “Aimig at higher Network Security through Extensive Penetration
Testing”, IEEE Latin America Transactions, Vol. 10, No. 3, April 2012.

[2] Kshetri, N., “The simple economics of cybercrimes”, IEEE Security and Privacy (2006),
Volume: 4, Issue: 1.

[3] Schonwalder, J., Pras, A., Harvan, M., Schippers, J. and Van de Meent, R., “SNMP Traffic
Analysis: Approaches, Tools, and First Results”, IEEE Integrated Network Management,
2007.

[4] Ansari, S., Rajeev, S.G. and Chandrashekar, H.S., “Packet sniffing: a brief introduction”,
IEEE Potentials (2003), Volume: 21, Issue: 5.

[5] Long, M., Chwan-Hwa Wu, Hung and J.Y., “Denial of service attacks on network-based
control systems: impact and mitigation”, IEEE Transactions on Industrial Informatics (2005),
Volume: 1, Issue: 2.

[6] Bishop, M., “About Penetration Testing”, IEEE Security and Privacy (2007), Volume: 5,
Issue: 6.

[7] Haya Shulman and Michael Waidner, “Towards Forensic Analysis of Attacks with
DNSSEC”, IEEE Security and Privacy 2014

[8] A. Herzberg and H. Shulman, “Dnssec: Interoperability challenges and transition

mechanisms,” in Availability, Reliability and Security (ARES), 2013 Eighth International
Conference on. IEEE, 2013, pp. 398–405.

[9] Lihua Yuan, “DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks”, UC Davis.

[10] Paul V. Mockapetris, “Development of the Domain Name System”, USC Information
Sciences Institute, Marina del Rey, California

ISSN(Online) : 2456-5717 97 Vol. 3, Special Issue 36, March 2017