Originally posted 26 Apr 2003
A cache is a local store of information (or munitions). Security researchers and practitioners have demonstrated that the trust relationship on which DNS relies is weak, and an attacker can inject false information into the local cache of a DNS resolver that's caching DNS response messages. By doing so, the attacker substitute domain name/IP address bindings of his choice for the legitimate ones in DNS reply messages. This is called "poisoning" the DNS, and poisoned name server databases can be used for a variety of attacks.
Photo by Special
A Concise Definition for DNS Cache Poisoning
Christopher Schuba described the basic name spoofing attack in his master's thesis from Purdue in 1993. It's succinct and correct. I'll reproduce it here:
"Many security problems of the TCP/IP protocol suite rely on the ability of the attacker to spoof the IP address of a trusted machine, as described in [Bel89]. As hosts trust each other, usually on the basis of host names, an attacker can take the easier approach and spoof a host's name instead of its IP address.
"If a host named HA accesses another host named NSA, host NSA accepts the connection and retrieves address information about the connecting host HA. Host NSA reads host HA's IP address and converts it into a regular host name. To bind the right name to the IP address, host NSA starts a Domain Name System query in the reverse lookup tree.
"For a pair of machines NSB and HB under the power of an attacker, with NSB running a primary name server for a certain zone, and HB trying to fake HA's identity, it is easy to make NSA believe HB was HA. HB connects to NSA and claims to be HA, NSA retrieves HB's IP address 184.108.40.206 and queries the name 220.127.116.11.in-addr.arpa from the Domain Name System. One single entry in the authoritative data for the reverse lookup tree for NSB's zone specifes the IP address-to-name mapping between 18.104.22.168.in-addr.arpa and HB. If the attacker replaces this line by a mapping between 22.214.171.124.in-addr.arpa and HA, NSA's resolution attempt will finally grant HB access to NSA."
Attacks that Exploit Cache Poisoning
You can find a recent, decent read that explains current attacks against DNS cache (including the Birthday Attack) and recommended countermeasures at SecurityFocus.com. The article is DNS Cache Poisoning: The Next Generation, by Joe Stewart.
I wrote an article for WatchGuard Technologies on this subject, DNS Pharming: Someone's Poisoned the Water Hole!