DNS Cache Poisoning

A domain name server (DNS) is constantly asking questions and receiving answers. It is used to resolve address questions such as “What is the IP address of www.cnn.com?” with the answer being “www.cnn.com is at 64.236.24.20.” However, DNS cache poisoning can occur. That is when an attacker hacks into your DNS server and inserts phony data into the cache. How does DNS cache poisoning (also known as pharming) happen? The problem lies in that the DNS server does not authenticate the answers. DNS servers do not check responses to make sure they are coming from the original site. As an example of DNS cache poisoning, you may type www.cnn.com into your browser window and your computer queries the DNS server for www.cnn.com’s IP address. Instead of the correct IP of 64.236.24.20, your DNS server is fed a bogus page that may or may not look exactly like the CNN home page.

Recently, DNS cache poisoning has been on the increase. Berkeley Internet Name Domain (BIND), the software used by most all DNS servers on the Internet was proved vulnerable in the late 1990s. RSA Security found themselves victims to DNS cache poisoning in 2000 when users going to their home page were given a “hacked” version of their web page rather than the original. The SANS Institute had one cache poisoning attack in March of 2005 that redirected brands such as ABC, American Express, and Verizon Wireless. Panix was also victim of cache poisoning and the IP address of the main DNS at Hushmail was changed to a hacker’s site.

If you are a victim of DNS cache poisoning, not only are you not getting the page you had hoped for, but there is a very good possibility that your computer has been exposed to spyware and adware. While no one wants spyware and adware on their computer, the bigger risk to you is when the bogus page returned looks exactly like the original page. You think the page is authentic and type personal information such as your username, password, banking or credit card information. This allows the attacker to steal your information and use it for fraudulent purposes.

Many times, DNS cache poisoning will take you to a bogus web page that is obviously not the page you wanted to visit. These pages are not set up to steal your identity as much as they are to spam your computer with spyware and adware. While often not dangerous, it is annoying, with the spyware doing things such as changing your browser toolbar, home page and preferences. If you feel you have been a victim of DNS cache poisoning, run a reliable anti-spyware program such as Spy Sweeper to ensure your computer is clean and protected.

Should you be worried about DNS cache poisoning? You should not be worried unless you work for a business that has its own DNS server. Home users usually access the web through a large Internet Service Provider (ISP) and have no need to worry. The hack does not really work with the DNS servers of large ISPs because the caches are large and overwritten so often by legitimate requests. But, if you come across anything that looks suspicious, do not hesitate to contact your ISP immediately.