{"id":4899,"date":"2019-06-10T16:16:02","date_gmt":"2019-06-10T15:16:02","guid":{"rendered":"https:\/\/www.n-able.com\/?p=4899"},"modified":"2021-04-02T14:38:28","modified_gmt":"2021-04-02T13:38:28","slug":"what-is-dns-poisoning","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/fr\/blog\/what-is-dns-poisoning","title":{"rendered":"How to Prevent DNS Poisoning"},"content":{"rendered":"

DNS poisoning, also known as DNS spoofing, is one of the most common domain name system (DNS) attacks out there today. The attack is used by hackers looking to infiltrate enterprises of all sizes and gain access to sensitive data, including user login credentials, financial details, and email exchanges. Clearly, it\u2019s crucial that managed services providers (MSPs) understand how this threat typically occurs, and the steps they can take to prevent DNS poisoning. To fully understand how DNS spoofing occurs and ways to protect against it, it\u2019s important to first understand DNS as a whole.<\/p>\n

What is DNS?<\/b><\/h3>\n

The domain name system, or\u00a0DNS<\/a>, is a hierarchical naming system for computers, services, and other internet resources. Essentially, it\u2019s the phonebook of the internet. For every domain name there\u2019s a corresponding set of 10 or so numbers that comprise the domain name\u2019s IP address. Straightforward, reader-friendly domain names were created so users wouldn\u2019t have to remember complicated IP addresses for every website they visit. It is the responsibility of the DNS to pair domain names with internet IP addresses so users can access websites. Here\u2019s how the process works:<\/p>\n

    \n
  1. Every time you enter a domain name, your browser will first search its own domain to see if the website you are searching for is hard-coded into its system. For example, if you work for Google, gmail.com would already be coded into your system. This would make your system the authoritative name server for that particular address. More often than not, you are searching for IP addresses outside of your domain.<\/li>\n
  2. Next the DNS resolver will check its own cache of IP addresses for a match. Think of the cache as a historical database of previously searched domain names and IP addresses. Cached addresses typically have a limited lifespan of a few hours. This is called a time to live, or TTL.<\/li>\n
  3. When no address is found in the cache, the DNS resolver queries other DNS servers to see if they can identify the correct IP address or locate the authoritative name server for that particular domain. Communication between DNS servers is constant and results in the quick identification of IP addresses, allowing users to navigate the web with little interruption.<\/li>\n<\/ol>\n

    What is a DNS poisoning attack?<\/b><\/h3>\n

    A DNS poisoning attack, also known as a DNS spoofing attack, is when attackers infiltrate the DNS query process to redirect users to fake websites. These fake websites are run by the attacker and can often look remarkably like the real thing, luring unsuspecting users to enter highly sensitive data, like credit card numbers and login credentials, or inadvertently download viruses and other\u00a0forms of malware<\/a>.<\/p>\n

    This type of attack is considered a DNS cache poisoning because the illegitimate IP address lives in the cache of the server. Attackers can even manipulate the TTL so that their fake websites live in the cache beyond the typical cache lifespan of a few hours. The risk involved with cache poisoning goes beyond the DNS server that was originally infected. Any DNS server that queries the infected server and receives the imitation IP address for a specific website is at risk.<\/p>\n

    For example, if a DNS server starts unknowingly directing its customers to a fake banking website using a scam IP address it picked up, other DNS servers who pick up the IP address of the bank from the poisoned DNS server will also receive the corrupted address, thus exposing their customers to the attackers.<\/p>\n

    Can DNS be hacked?<\/b><\/h3>\n

    Your DNS server is considered hacked when an attacker has found their way into your router and gained control of your DNS settings. This is known as a form of man-in-the-middle attack and can happen if a user unknowingly downloads malware.<\/p>\n

    A hacker with control of your DNS settings is able to manipulate your system so that, instead of querying secure DNS servers, it queries the hacker\u2019s server and leads you to a host of imitation sites. Similar to DNS poisoning, this can lead users to unwittingly put their banking details or login and password credentials in the hands of attackers.<\/p>\n

    A hacker with control of your DNS settings also has the ability to redirect users to fake sites that convince the user they have downloaded a virus, even if they actually haven\u2019t, and trick them into buying the hacker\u2019s software to remove it. The scariest part about all of this? By the time a user realizes their DNS server has been compromised by an attacker, it\u2019s often too late.<\/p>\n

    How does a DNS attack work?<\/b><\/h3>\n

    Attackers prey on\u00a0DNS vulnerabilities<\/a>\u00a0and take advantage of the constant communication between DNS servers to execute an attack. The goal of a DNS attack is to direct users to an IP address of the hacker\u2019s choosing. Sometimes it\u2019s to an imitation website, as is the case of DNS spoofing. Other times it\u2019s to a targeted website that the attacker knows is unprepared to handle a large, sudden increase in traffic. This unexpected onslaught of visitors causes the targeted website to crash\u2014a form of a distributed denial of service (DDoS) attack.<\/p>\n

    There are a number of ways an attacker can find their way into your DNS system, including:<\/p>\n