What is DNS poisoning?

DNS poisoning has been around for a while. DNS is used to map domain names, like “educative.io”, onto an Ip address like “192.168.1.1.” The computer then connects to the IP address and visits the website.

The internet works on multiple DNS Servers that cache information from each other. Caching saves the DNS from repeatedly looking up the same webpages. These caches are maintained for a given time that is according to the time to live field within themselves.

A DNS cache becomes poisoned when the server contains an illegal value. If an attacker is authenticated at a DNS server, he can change the values of multiple domains to point towards a false IP address. DNS poisoning can also be done by a classic man in the middle attack where the hacker sniffs the packets being transferred and sends the response, as shown in the illustration.

This IP points to an official-looking website and can, therefore, be used for phishing attacks; or, it may point to a website that installs malicious software on a user’s computer without them knowing.

The next time a user tries to visit some official website, such as “educative.io,” they will be pointed towards a false IP address by the DNS, and therefore, become a victim.

DNS poisoning is extremely dangerous as it expands rapidly. If multiple DNS servers are getting their information from a compromised DNS, all of them will have the fraudulent webpage and will, therefore, all be a victim.

Prevention

• Make use of DNSSEC, which provides a better and safer route for the DNS server to query the authoritative nameserver. It uses encryption to ensure the DNS considers the most accurate data.

• Reduce the Time to live fields. Reduced TTL ensures that even if DNS poisoning somehow occurs, the time that the effected records stay within the DNS is reduced.