How Does a DNS Work?

Every time when you type an address of a website into your browser, the following things
happen:
1. A DNS server is contacted.
Your computer must reach out to the DNS server (DNS Resolver) for more information.
2. The DNS looks up a numerical address.
Computers understand server addresses made up of numbers and dots only. If you've never
searched for this site before, your computer will ask another server for help.
3. A DNS resolver completes the query.
Your human-optimized address (e.g., yahoo.com) is switched to a numerical version, i.e. an IP
address similar to 102.154.112.217
4. You're sent to your site.
With the correct numerical address, you head to the proper server that hosts your website.
5. Data is stored.
The internet server you use has a DNS server that stores translations from human addresses to
numeric versions. The results of your search are stored here.
The beauty is that all this work happens in a few quick seconds, and you rarely notice any delay.
But behind your screen, your computer is reaching out to others to understand where you should
go next and what should happen.
The DNS system was developed in 1983, when the internet contained far fewer websites and
servers. The developers never dreamed that anyone would want to play with the system or
defraud users. That's why there is no built-in security measure for DNS. The biggest reason
behind all this is that DNS was built for a much small internet. Next reason is that neither your
computer verifies the identity of the server it talks to, nor it does validate the data that comes
back.
-
What is DNS Poisoning?
Let's take an example which makes things easier to understand here.
Suppose you are a student and it is your first day at the campus. But your seniors at the campus
has decided to play a prank on you all (new students). Imagine what they do is that they change
all the numbers of all rooms of campus layout before your arrival. So what will happen next?
Simple. All new students would get lost on the campus on their first day. They would show up in
the wrong classrooms. Right? Now consider the even higher level of this prank. That your
seniors have recorded all these fake numbers in the 'campus directory' too including all campus
layout-maps. Thus, all new students will continue to head to the wrong classrooms, until
someone finally notices the fake numbers and decides to correct the 'campus directory' as well as
campus layout-maps.
DNS (cache) poisoning is very similar to above scenario. IP addresses are the 'room numbers' of
the Internet, enabling web traffic to arrive in the right places. DNS resolver caches are like the
'campus directory,' and when they store faulty information, traffic goes to the wrong places until
the cached information is corrected. (It is critical to note that it does not actually disconnect the
real websites from their real IP addresses. Ok?)
DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name
System data is introduced into the DNS resolver's cache, causing the name server to return an
incorrect result record, e.g. an IP address, to the clients. As a result all users who are trying to
access to a legitimate website, will be directed to wrong or fake website.
-
How do attackers poison DNS caches?
Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a
DNS resolver, and then forging the reply when the DNS resolver queries a nameserver. This is
possible because DNS servers use UDP instead of TCP, and because currently there is no
verification for DNS information.
The graphic here clearly shows how does it happen...
You need to remember that it is UDP, that is the culprit here.
Unlike TCP, which requires both communicating parties to perform a 'handshake' to initiate
communication and verify the identity of the devices, DNS requests and responses use UDP, or
the User Datagram Protocol. With UDP, there is no guarantee that a connection is open, that the
recipient is ready to receive, or that the sender is who they say they are. UDP is vulnerable to
forging for this reason – an attacker can send a message via UDP and pretend it's a response from
a legitimate server by forging the header data.
If a DNS resolver receives a forged response, it accepts and caches the data uncritically because
there is no way to verify if the information is accurate and comes from a legitimate source.
REMEMBER:
The Internet doesn’t just have a single DNS server, as that would be extremely inefficient. Your
Internet service provider runs its own DNS servers, which cache information from other DNS
servers. Your home router functions as a DNS server, which caches information from your ISP’s
DNS servers. Your computer has a local DNS cache, so it can quickly refer to DNS lookups it’s
already performed rather than performing a DNS lookup over and over again.
-
Despite these major points of vulnerability in the DNS caching process, DNS poisoning attacks
are not easy. Because the DNS resolver does actually query the authoritative nameserver,
attackers have only a few milliseconds to send the fake reply before the real reply from the
authoritative nameserver arrives.
Attackers also have to either know or guess a number of factors to carry out DNS spoofing
attacks:

1. Which DNS queries are not cached by the targeted DNS resolver, so that the resolver will
query the authoritative nameserver
2. What port* the DNS resolver is using – they used to use the same port for every query,
but now they use a different, random port each time.
3. The request ID number
4. Which authoritative nameserver the query will go to

Attackers can also gain access to the DNS resolver in some other way. For example, attackers
hack, or gain physical access to a DNS resolver.
-

The Great Firewall of China Spreads to the US IN 2010

This isn’t just a theoretical problem — it has happened in the real world on a large scale. One of
the ways China’s Great Firewall works is through blocking at the DNS level. In 2010, an Internet
service provider outside of China mistakenly configured its DNS servers to fetch information
from DNS servers in China. It fetched the incorrect DNS records from China and cached them
on its own DNS servers. Other Internet service providers fetched DNS information from that
Internet service provider and used it on their DNS servers. The poisoned DNS entries continued
to spread until some people in the US were blocked from accessing Twitter, Facebook, and
YouTube on their American Internet service providers. The Great Firewall of China had
“leaked” outside of its national borders, preventing people from elsewhere in the world from
accessing these websites. This essentially functioned as a large-scale DNS poisoning attack.
-
How can DNSSEC possibly help prevent DNS poisoning?
DNSSEC is short for Domain Name System Security Extensions, and it is a means of verifying
DNS data integrity and origin. Much like TLS/SSL, DNSSEC uses public key cryptography (a
way of digitally signing information) to verify and authenticate data. DNSSEC extensions were
published in 2005, but DNSSEC is not yet mainstream, leaving DNS still vulnerable to attacks.
Problem is that DNSSEC never gained momentum...
-
How To Prevent DNS Poisoning?
Website owners and DNS service providers have the mutual or shared responsibility of
defending users from DNS attacks.
As a user, you can do at least one thing. KEEP FLUSHING YOUR DNS CACHE...For example
windows users can launch Command-prompt or powershell and use the command: ipconfig
/flushdns
-
Please let me know of what do you think about this in the comment section. You can also share
with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me
greatly in designing new quality article/post on cybersecurity.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,