January 6, 2011

DNS is abbreviation of Domain Named System which helps in changing the IP addresses to names given to their respective domain names. This avoids the task of remembering numerous IP addresses that are there in the world. Its poisoning means the compromise occurs when data is introduced into a DNS name server's cache database that did not originate from authorized DNS sources. It may be a deliberate attempt of a maliciously crafted attack on a named server.When a DNS server has received such non-authentic data and caches it for performance optimization, it is considered poisoned, supplying the non-authentic data to the clients of the server.Domain Named Server translates a domain name in to an IP address that Internet hosts use to  contact Internet Resources of that particular domain.If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer.

In order for a workstation to implement DNS, it must be running a DNS Client or Client Resolver.

DNS Server

DNS cache poisoning consists of changing or adding records in the resolver caches, either on the client or the server, so that a DNS query for a domain returns an IP address for an attacker’s domain instead of the intended domain.

The way DNS poisoning works can be explained in with the following steps:
Step 1: The resolver checks the resolver cache in the workstation’s memory to see if it contains an entry for a website www.abc.alphabet.com
Step 2: Having found no entry in the resolver cache, the resolver sends a resolution request to the internal DNS server.
Step 3: When the DNS server receives the request, it first checks to see if it’s authoritative. In this case, it isn’t authoritative for alphabet.com, the next action it takes is to check its local cache to see if an entry for www.abc.alphabet.com exists which will not be there.
Step 4: A request is sent to one of the Internet root servers. The root server returns the address of a server authoritative for the Alpha-bet.com which means it is under the domain of Alpha-bet.
Step 5: A request is sent to the authoritative server for .Alpha-bet which returns the address of a DNS server authoritative for the .alphabet.com domain is returned.
Step 6: This step involves the general query process where a request is sent to authoritative server alphabet.com which is prone to poisoning. Here the cracker must know the transaction ID to intercept the Query and put some malicious information. Attackers use Denial of Service attack to crack the transaction ID. While the authoritative server struggles to deal with the attack, the attacker’s DNS server has time to determine the transaction ID. Once it determines the ID a query response is sent to DNS server which returns with the hacker's site. The response is placed into the server’s cache.
Step 7: The rogue IP address for alphabet.com is returned to the client resolver.
Step 8: An entry is made in the resolver cache, and a session is initiated with the attacker’s site. At this point, both the workstation’s cache and the internal DNS server’s cache are poisoned. This may sometimes lead to severe infections like malware and many routines that will run with that Malware.


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



Twitter Delicious Facebook Digg Stumbleupon Favorites More