HowTo: Prevent DNS Cache Poisoning

~~   Forward   ~~

There has been a long history of attacks on the domain name system, ranging from brute-force DoS attacks to targeted attacks requiring specialized software.   A ne’er-do-well could send a few packets, which result in many packets to the target, an effect called ‘amplification’.   In July 2008 a new DNS cache-poisoning attack was unveiled that is especially dangerous because it doesn’t require substantial bandwidth or CPU nor does it require complex techniques.

With ‘cache poisoning’ an attacker inserts a fake address record into a Domain Name Server.   If the DNS accepts the false record, the cache is poisoned and further requests for that domain are sent to the attacker’s server.   The fake entry is cached by the DNS for as long as the ‘time to live’ (TTL), usually a couple of hours.   So you might think you’re going to your bank or to pay a bill, but you’re handing over your login info to the attacker.