How to Protect Your Infrastructure from DNS Cache Poisoning

Cybercriminals used a malware known as Mirai and created a botnet in October 2016. This malicious software effectively launched the distributed denial of service (DDoS) attack and it is considered the biggest of DDoS attack to this day. Dyn, now part of Oracle Corp that provides DNS services was responsible for a lot more than just one company’s websites when the attacked was carried out.

The New Hampshire-based company provided managed DNS services to BBC, CNN, Comcast, and Spotify – some of the world’s best-known websites. When the DNS attack happened, these websites took the first hit. In this attack, the DNS protection had a loophole and it was compromised by the attackers, as a result, the services were blocked in North America and Europe. With this incident hitting the headlines two years ago, most the IT guys have lot understood about the importance of DNS Filtering, DNS Internet Security, and DNS Protection.

How does DNS work?

In order to better understand how DNS attacks happen, it is vital to know how DNS work. To find a particular website, the IP address helps in reaching the particular web server. In the process, the browser consults the system’s hosts file, a text file with the IP addresses of any domain names. When the web address isn’t in the system’s hosts file, the browser will go to the DNS server which may be operated by an ISP, or by an organization like Google or OpenDNS.

How is DNS used by Hackers?

All that a hacker does is find a way to make the resolver report back the wrong IP address. When it is done, anyone from any part of the world trying to access the particular website will be redirected to a bogus website. Similarly, the emails also can be delivered to the wrong destination.

Cache poisoning

In simple, cache poisoning as the term refers to is placing false information into the cache of a server. Hackers accomplish this by assigning a bogus “reply” with a tricked source IP address to an information request. When a bogus reply comes back it may be cached.

This is how cache poisoning is carried out by hackers, and when it is done, any following information request will be responded with this wrong information until the information expires.

How long does the cache remain poisoned?

There is a time limit for the DNS information (TTL) to be active and then it requires to be recovered again from the official server. The TTL for DNS information is defined by the owner of the domain name, however, doing it at the right moment depends on the hacker to carry out the malicious activities.

DNS Protection – It matters a lot!

Here is how you need to steer clear of becoming a victim of a DNS attack. Always maintain the resolver private and protected. When the resolver is operated on the own, ideally, the usage should be restricted to users on your network. Thus, you will prevent its cache from being corrupted by hackers outside the network. Remember, never to leave it open to external users.

Besides, configure it to be as strong as possible against cache poisoning, the potential ways of doing it includes:

• instead of UDP port 53 – use a random source port
• randomizing the case of the letters of the domain names
• randomizing the query ID
• maintaining your DNS servers securely

Comodo Dome Shield DNS filtering

Comodo Dome Shield DNS Filtering protects from accessing these problem sites. The DNS Internet Security is available for homes, businesses, and MSPs. It doesn’t matter how many users you have, it’s absolutely free. For more details, please visit the official page.

Related Sources:

https://cdome.comodo.com/dns-filtering.php
https://cdome.comodo.com/blog/what-is-dns-filtering/
https://cdome.comodo.com/blog/impact-of-internet-of-things-on-enterprise-networks-using-dns/