What Is DNS Cache Poisoning? How DNS Spoofing Can Hijack You
As the public get smarter about online dangers, malware authors have increased their efforts to fool people into handing over their data. Domain Name System (DNS) cache poisoning, also known as DNS spoofing, is one of the sneakiest means of hijacking a user’s browsing experience to send them to a malicious site.
Let’s look at how DNS cache poisoning works and how you can avoid it.
What Is a DNS Cache?
How URLs and IP Addresses Work
To start, let’s look at the DNS cache itself. When you want to visit a website, you usually enter its URL. If you wanted to check your bank account online, you’d type the URL www.mybanksaddress.com into your browser.
The problem is, your computer doesn’t really “speak” in URLs. It knows about IP addresses, though; these are the strings of numbers that act as the “home address” of a device on the internet. We use URLs because it’s a lot easier for us to remember the name of a site than its IP address.
How a DNS Server Works
In order to work out where you want to go, your computer has to translate your URL into an IP address that it can use. In order to do this, it passes your URL to what’s called a DNS server.
The DNS server acts like a giant phone book for websites. When your computer sends the DNS server the URL, it looks it up in its database and finds the corresponding IP address. It then lets your computer know what the IP address is.
Your computer now knows what IP address is associated with www.mybanksaddress.com and can visit the website.
How a DNS Cache Works
Because IP addresses don’t change that much (if ever), your computer decides to store this knowledge for later. It notes down the IP address for the URL www.mybanksaddress.com in a DNS cache.
Now, when you go to access your bank in the future, your computer doesn’t need to use the DNS server. It looks through its cache and finds the IP address it received last time. In a way, the DNS cache acts as a miniature phone book for all the sites you’ve previously visited.
How Does Someone “Poison” a DNS Cache?
Now we know what a DNS cache is, let’s look at how hackers can “poison” one.
How Hackers Plant the Poison
When a computer uses a DNS cache, it doesn’t notice if the IP address has changed since the last time it was used. In a way, the DNS cache is the computer’s memory; if the values within the cache are tweaked, the computer will act as if it has always been that way.
Let’s say a malicious agent decides to attack users of www.mybanksaddress.com. To do this, they create a fake website that looks identical to the real one. They create a fake login screen in order to harvest the details of people who use this phony website.
How the Poison Works
With the site online, they then attack the DNS cache of users. They can do this via malware, or by getting access to someone’s PC. Either way, their goal is to access the DNS cache and find where www.mybanksaddress.com is stored. Once in, they then swap out the real IP address for the bank with the address of the fake site they set up.
Let’s say your cache was attacked, and the IP address to your banks address was swapped out. Now, when you enter the bank’s URL, your computer looks it up in its cache. It finds the malicious IP address the hacker planted, and redirects your browser to the fake website.
If done smoothly enough, you won’t even notice you’ve arrived at a phony website. You then enter the login details into the fake website and compromise your account.
Are DNS Servers Vulnerable Too?
Given that computers talk to a DNS server to get an address, is it possible for a hacker to poison a server instead? Unfortunately, the answer is yes—and the ramifications can be damaging!
DNS servers operate similarly to your computer. If it gets a query for an IP address, and it doesn’t know where to direct the user, it will ask another DNS server for the answer. These servers use their own caches to store information.
If a hacker manages to gain access to a DNS server, they can alter the database to redirect users wherever they want. Now, every computer accessing the DNS server to get an IP address will get a poisoned result.
Even worse, servers who don’t have the IP address for a specific website will ask the poisoned server for the answer. They then receive a poisoned answer as a result! This leads to a nasty chain of infections around DNS servers as they pass on this phony information.
How to Avoid DNS Poisoning
As scary as DNS spoofing sounds, there are ways to tackle it. Let’s look at some ways you can be vigilant while browsing the internet.
1. Keep Your Antivirus Active and Up-to-Date
A good antivirus should thwart a DNS cache poisoning attempt. The internet is always full of risks, so it’s important to have something to protect yourself! Download and install a critically-acclaimed antivirus to keep yourself safe.
If you need some help, we’ve covered the best free antiviruses available so you can stay protected without breaking the bank.
2. Don’t Download Suspicious Files
In order to protect your own DNS cache, stay safe when browsing the internet. Don’t click on suspicious files, links, or banner advertisements. These might be attack vectors for malware that will alter your DNS cache.
3. Use a Respected ISP or DNS Server
Protecting yourself is a good step, but what about infected DNS servers?
A good DNS server will never trust the first thing it receives from another server. It’ll treat every piece of information with suspicion and won’t accept it unless it knows it’s not poisoned. By using these servers, you can be certain that the results your computer gets will always be legitimate.
Usually, your computer uses a DNS server provided by your ISP. As such, it’s a good idea to use a reputable ISP who perform good security practices.
If you want, you can use a different DNS server than the one your ISP gives you. This allows you to choose a reputable service with the knowledge that your connection is safe from poisoning. You can read about how to do this in our guide to swapping between multiple DNS servers in Windows.
4. Flush Your DNS Cache
If you suspect your DNS cache is poisoned, flush it out! This cleans the palette of any corrupted entries and starts you afresh. Just be sure you’re using a respected DNS server when refilling the cache, or you may end up poisoning yourself again!
How you flush your DNS cache depends on the OS you’re using. If you’re using Windows, you can learn how to flush the DNS cache in our guide to the commands every Windows user should know.
5. Double-Check All Websites You Visit
When you arrive at a website, you can double-check to ensure you’re not on a fake one. Unfortunately, the URL of the website may still display what you entered, as your computer believes this is the real IP address of the website you want to access.
If you notice there’s no HTTPS encryption, or if something looks suspicious, there’s a good chance you’re on the wrong site! Don’t enter any login details, back out of the website, and perform a virus scan and DNS cache flush immediately.
6. Restart Your Router to Clear Its DNS Cache
Routers can also carry a DNS cache of their own. This is just as susceptible to DNS poisoning as a PC or DNS server. To make extra sure you’re safe, give your router a hard power cycle. This should flush out its DNS cache and fix the problem.
Protecting Yourself From DNS Attacks
DNS servers are useful tools for speeding up your browsing experience, but they can also do serious damage if compromised. Thankfully, there’s a lot you can do to ensure you’re never the victim of a DNS cache poisoning attack.
If you’re on the hunt for a secure DNS server, why not try our list of the best DNS servers guaranteed to keep you safe?