In this post we will cover the different types of DNS poisoning attacks, explain why they should not be referred to as DNS cache poisoning and make the case for a more relevant name for this class of internet censorship tactics.
For brevity, this will be a high level overview of the types of DNS attacks. Each will be covered in
detail separately in a dedicated blog post.
I distinguish three types of network/server side DNS attacks:
1. DNS Cache Poisoning
2. DNS injection
3. Rogue DNS server
The above attacks don’t require any modification of the DNS client’s OS or the last mile router/modem.
While outside of the scope of this article, for completeness client side based DNS attacks can be divided into the following:
1. OS modification
- malware adding host entries
- malware changing the DNS settings
- Local malware changing the DNS settings on the router
- External changes to the router’s DNS settings (for example using UPnP or exposed administrative interfaces)
What’s a DNS cache?In order to understand why most DNS poisoning attacks are not cache poisoning attacks firstly let’s cover what the DNS cache is.
DNS is a distributed hierarchical database. Parts of DNS data are distributed and spread across many globally distributed servers. Each DNS record has a Time To Live (TTL) value. TTL specifies (in seconds) how long a DNS record can be cached for. As a side note, some DNS servers do not respect the TTL and overwrite it but we will explore it in a different post.
In order to reduce the load on the servers and speed up the resolution process valid responses are cached in memory (the DNS cache) for the duration of the TTL.
When a recursive DNS resolver (see What's a recursive DNS query?) resolves a name for a DNS client, it caches the name in its cache. When the resolver is queried for the same name within the duration of the TTL, it instantly returns the record from its cache. The client caches the result in its cache too.
Now that we know what a DNS cache is…
DNS Cache Poisoning attack
In this attack, malicious dns records are inserted into the DNS server’s cache. Once cached, the server will return the data from its cache for the duration of the TTL.
This attack relies on timing. The attacker queries the resolver for the target domain name and the attacker itself returns a spoofed result to the resolver.
High level steps are as follows:
- Attacker queries the target resolver for target.example.com
- Resolver issues an iterative query on behalf of the client for target.example.com
- Attacker sends a spoofed DNS response to the resolver pointing target.example.com to the IP address of attacker’s choosing
- Resolver receives the spoofed response and inserts it into its cache
- Resolver’s cache has been poisoned
Simple in theory, but extremely difficult and impractical to pull off. The attacker needs to get many things right for this to succeed and he must do all of it before the real answer arrives - which is usually measured in milliseconds.
I have personally never seen this happen in the wild and I consider this largely a theoretical attack nowadays.
DNS injection attack
In this type of DNS attack, a network traffic monitoring device injects spoofed responses.
This attack is relatively easy to carry out (assuming the attacker controls the network) because DNS uses the UDP protocol.
When a monitoring device detects a DNS query for a censored domain, it forges a fake response and sends it to the client. This attack can be implemented by an in-path or an off-path device. This technique is used by state actors to implement country based censorship.
For example in China, the Great Firewall of China (GFW) injects the fake response however it doesn’t block the original query nor it drops the real answer. It relies on its logical proximity to the DNS clients to ensure the fake responses arrive faster than the valid ones.
We will look at this behaviour in detail in a post dedicated to DNS injection attacks where we’ll break it down by country.
Rogue DNS server attack
In this type of attack a legitimate DNS server is configured to return fake responses. This attack can be carried out by an external actor (someone hacking a DNS server) or an internal actor (for example someone at an ISP).
In my research I have seen this attack affecting single servers, ISP in a specific region of a country and a whole ISP.
In this very high level post we’ve outlined three types of DNS attacks. We covered what the DNS cache is and explained why only one of the attacks actively targets the servers’ cache.