Network and Computer Security Section: DNS Cache Poisoning

DNS Cache Poisoning: An Introduction



Can your Internet name server be corrupted by evil hackers impersonating your bank or E-Commerce sites?

Worldwide Internet users have come to rely on the integrity of Internet names. For example, when you enter "", you trust that the displayed website is owned, managed, and backed by authorized employees of the Bank of America.

However, evil hackers have learned that it is easy to make "fake" websites that look very much like the real thing. It's trivial to copy the existing web pages of a legitimate business, modify them a bit, and re-publish them on a different web server with a confusingly similar name. When innocent customers accidentally stumble on to that confusingly similar website, they can be tricked into revealing their passwords, PIN numbers, and other authenticating information, which the hackers can then use on the real web site to commit crimes.

Hackers who own these fake websites are always looking for new ways to trick users into accessing them unawares. Their attempts to use email links and attachments for these - "phishing" - crimes are well known.

However, there is an other means by which sophisticated attackers can deceive you, and it is much harder to detect: They can - "poison" - the name server that your computer uses to find web sites by name! Well-funded, well-coordinated attacks of this nature can and will be carried out by malicious mobsters, rogue governments, warring nations, corrupt institutions, penetrated universities, and sophisticated opportunists, because they can lead to widespread, wholesale disruption as well as highly focused crimes and abuses.


When your computer tries to find a website like, it always needs help. Computers don't think in the English language, and the Internet Addresses that are understood by computers and routers don't really look like the domain names with which we are familiar. To your computer, the Internet Address of looks more like this:

When your browser tries to access, it asks your operating system if it already knows the required, numeric IP address. If you've already accessed that site during the prior few seconds, your operating system will respond with the requested information from it's "cache" memory, because operating system designers have learned the wisdom of holding onto this information for awhile after it is used.

But if it's been a few hours (or more) since you've accessed that site, your operating system will need additional help. It will check to see if you've "hard-coded" the associated information into a special "hosts" file, where some sophisticated users store permanent references to sites of particular interest, like those that they manage themselves, within their own LANs. Usually, for any arbitrary Internet site, the "hosts" file is of no help.

Your computer will next ask for help from a "Domain Name Server", which resides out on the Internet. There are thousands of these, managed by Internet Service Providers (ISPs), businesses, governments, universities, and individuals. Every Internet-connected computer is always configured to use at least one of these Domain Name Servers, which have come to be known as "DNS". This arrangement is generally configured by your ISP, and most people rely on the DNS facilities of their own ISP, but it is not necessary to continue in that pattern. Some DNS providers offer higher quality, faster, safer service than others, and it's a good idea to examine your own DNS setup. Doing so can make your Internet browsing experience considerably faster.

You can learn a lot more about this by examining the December 2010 article entitled " Reviews the free DNS Benchmark tool from Gibson Research Corporation", which you can find in our - "Advanced Networking" - section.

For our purposes in this discussion, it will be useful to point out that the first DNS server asked for help usually doesn't know the answer. In this case, your Domain Name Server will ask other DNS facilities for help. It is commonplace for DNS devices to - "talk" - to each other, helping to - "resolve" - names. The worldwide Internet is just too big and too complex for any one server to know and manage all of the Domain Names and Ip addresses, so different servers "specialize" in their own areas, and it is commonplace for the owners of unique Internet Domains to create their own specialized Domain Name Servers to advertise their own services among the DNS community. By this means, the overall, worldwide burden of DNS managment is - "distributed".

Once your Domain Name Server gets the information it needs from some other DNS facility, it will take two related steps:

1 of 2: It will relay the requested information back to your computer through your router, and

2 of 2: It will retain the information in its own - "cache" - memory for awhile, just in case your computer needs it again, or in case somebody else asks for it. Depending on the size, sophistication, and workload of your local DNS node, this information may remain - "cached" - there for just a few minutes, or for as long as several months. As a general rule, it remains until it is "crowded out" by other information, or until it is so old that is considered to be "stale".

As it turns out, the original protocols by which Domain Name Servers chatted among themselves wasn't very secure. Years ago, hackers discovered that they could make - "fake" - DNS nodes, containing bogus information about legitimate websites that they wanted to target, and that other Domain Name Servers could be deceived into accepting that bogus information, which they would hold in their cache memories and pass on to unsuspecting users. This attack is known as "DNS cache poisoning", and it can lead to widespread disruption, chaos, and crime.

During the past 3 or 4 years, the managers of DNS nodes have learned how to tighten up their security. This is a well-known problem, and there are well-known solutions. Most Domain Name Servers are well managed from this perspective, and it is extremely difficult for attackers to poison the cache of a well-managed DNS node that has been updated with the appropriate, well-known solutions.

However, because there are so many Domain Name Servers, there are still thousands and thousands of them that haven't been updated for a long time. Recent studies have revealed that a shocking number of DNS nodes are vulnerable to these attacks!

Fortunately, Steve Gibson and our other friends at Gibson Research Corporation have created a free, Internet-based tool that we can use to test our own DNS setup for this vulnerability Let's fire up our Internet browser and try it!