Systems Engineering and RDBMS

DNS Poisoning

Posted by decipherinfosys on January 19, 2007

What is DNS Poisoning? 

DNS poisoning, also known as DNS cache poisoning, is when a DNS server receives false update information the server believes to be correct. The server or cache is altered so that hostnames resolve to an incorrect IP address.

The end result of this poisoning is that requests by a browser for a legitimate website results are redirected to one or many malicious websites. These fake websites often ‘spoof’ the original site in look and feel, which causes the user to believe they are on the legitimate webpage. Unfortunately, the user has actually been redirected to a site who’s only purpose is to cause problems, either by uploading spyware to the user’s machine, or collecting personal information about the user by collecting data that the user enters on the fake website. For example, if a user performs online banking, and is redirected to a malicious site that actually looks like the login to an actual bank, the user will naturally try to log in. These keystrokes are recorded on the other end, and the hackers running the malicious website instantly have someone’s username and password to secure financial information.

 

Preventing DNS Poisoning 

Windows 2000 SP3 and higher, as well as Windows 2003 have measures built in to prevent poisoning.

On Windows servers running DNS you can verify that DNS poisoning protection is enabled from the DNS console. After opening the console select a server from the list. Right-click on it, select Properties, Advanced tab, and make sure that the “Secure Cache Against Pollution” check box is selected. This DNS cache protection is enabled by default. With this feature enabled, the DNS server validates that the DNS responses it receives were from valid sources.

Another way to verify your Windows server is protected against poisoning is to look at the registry in the following location:

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters.

 

The key name is ‘SecureResponses’. On the more recent versions of Windows mentioned above, this key should not even exist. It can either be deleted, or the value of the key can be set to 1. Windows servers prior to 2000 SP3 need to have this key, and the value should be set to 1 as well.

 

Note: Please remember to always back up your registry before making any changes!

 

Another preventive measure includes DNSSEC, which is a secure version of DNS that uses digital signatures signed with a trusted certificate to verify the authenticity of DNS data. DNSSEC is rarely used, so the majority of DNS records are not secured against spoofing.

 

Using the secure version of HTTP, HTTPS, can also be leveraged to mitigate the risk of web browsers reaching spoofed websites. HTTPS allows users to check whether or not the web server’s certificate is valid and belongs to the website’s true owner.

 

Finally, and most importantly, the best method to ensure that your servers and workstations are protected from malicious attacks, such as DNS poisoning, is to keep them up to date with the latest patches and hotfixes.

Sorry, the comment form is closed at this time.

 
%d bloggers like this: