{"id":11995,"date":"2020-01-21T15:00:00","date_gmt":"2020-01-21T20:00:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=11995"},"modified":"2023-06-23T09:34:37","modified_gmt":"2023-06-23T13:34:37","slug":"dns-poisoning-attacks-a-guide-for-website-admins","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/dns-poisoning-attacks-a-guide-for-website-admins\/","title":{"rendered":"DNS Poisoning Attacks: A Guide for Website Admins"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\" id=\"h-how-to-protect-your-website-against-dns-cache-poisoning-attacks\">How to protect your\nwebsite against DNS cache poisoning attacks<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">There are literally hundreds of exploits\nand several million viruses that could penetrate your network defenses. Going\nafter them all is a full-time job. Fortunately, that job is handled by experts\nwhose only purpose is cyber security and technology that&#8217;s designed to detect\nand root out troublemakers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One of the most odious and difficult to\ndetect is <strong>DNS poisoning<\/strong>, also known\nas DNS spoofing, DNS hijacking, DNS cache poisoning, or DNS redirection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What is this digital ailment, and what can you do to protect your networks?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-is-dns-poisoning\">What is DNS Poisoning?<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1016\" height=\"448\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNS-Diagram.png\" alt=\"How DNS works\" class=\"wp-image-10208\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNS-Diagram.png 1016w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNS-Diagram-300x132.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNS-Diagram-768x339.png 768w\" sizes=\"auto, (max-width: 1016px) 100vw, 1016px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Domain name systems are the equivalent of the internet&#8217;s phone directory. Every website has a unique domain name that&#8217;s used to identify its location on the internet. A <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.wired.com\/story\/what-is-dns-hijacking\/\" target=\"_blank\">domain name server (DNS) attack<\/a> is a cybercrime that probes these servers looking for weaknesses to exploit. Once in, they can change coding or other information.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Simply put, a DNS poisoning attack\ncompromises DNS servers so visitors who try to go to a website are secretly\nrouted to the wrong IP address behind the scenes. The user may type \u201cgoogle.com\u201d\ninto their browser, but they\u2019re actually routed to a server run by a hacker.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The main symptom of a DNS poisoning attack is a sudden, unexplained drop in web traffic. Though web traffic is always volatile, if you see a sudden reduction in the number of visitors to your site, it\u2019s always worth investigating why. You can sometimes spot a DNS poisoning attack by pretending to be a customer: borrow a friend\u2019s computer, or use a VPN to change your location, and try to access your site. If you\u2019re re-directed to a site you don\u2019t recognize, the chances are good that your DNS cache has been compromised.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"DNS Cache Poisoning - Computerphile\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/7MT1F0O3_Yw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-a-dns-exploit-endangers-your-website\">How a DNS Exploit Endangers Your\nWebsite<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike a <a href=\"https:\/\/learn.g2crowd.com\/4-common-cyber-attacks\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Direct Denial of Service (DDoS) attack<\/a>, which overloads your server by sending an avalanche of requests, DNS spoofing discreetly draws traffic away from your website. Once individuals have been lured to the fake website, all kinds of malfeasance can occur<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS exploits can spread from server to server, impacting more and more users. This is because of the way that IP addresses and <a href=\"https:\/\/computer.howstuffworks.com\/dns.htm\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">domain name systems<\/a> work. Domain names are readable only to humans. When a URL is typed into the address bar on your browser, it sends a request to a server, which returns a numeric IP address that can be read by the computer. Many times, it returns more than one IP address.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Because internet service providers handle\nmillions of requests and IP addresses, they&#8217;re all stored in the same cache\nuntil the request can be routed to the proper location. In addition to the\nserver and ISP you use to access the internet, your router acts as a type of\nDNS server that caches the information from the servers connected to your ISP.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That&#8217;s a lot of <a href=\"https:\/\/whatis.techtarget.com\/definition\/attack-surface\">potential attack s<\/a><a href=\"https:\/\/whatis.techtarget.com\/definition\/attack-surface\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"u (opens in a new tab)\">u<\/a><a href=\"https:\/\/whatis.techtarget.com\/definition\/attack-surface\">rfaces<\/a> and points of entry to protect. In theory, the only sure way to stop the cycle of poisoning is for every cache attached to the DNS, ISPs, and personal or business routers to be cleared simultaneously. In practice, the most likely fix is for the DNS server most upstream with the corrupt record to be fixed and then trickle the correct data down to the rest.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A recent example of the impact these exploits can have is last year&#8217;s <a href=\"https:\/\/news.bitcoin.com\/myetherwallet-servers-are-hijacked-in-dns-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"attack on MyEtherWallet servers (opens in a new tab)\">attack on MyEtherWallet servers<\/a>. This crime involved hijacking the crypto company&#8217;s domain and redirecting account holders to a phishing website, where they were tricked into revealing their wallet security keys and transferring the money in their accounts to the hacker&#8217;s wallet. The attacker was able to make away with $160,000 in Ethereum cryptocurrency before the breach was discovered.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What makes these exploits so hard to\ndetect is that they occur on the user side. Account holders have no idea that\nthe domain has been hijacked and they&#8217;re being redirected to a fictitious\nwebsite. They&#8217;re just going through their normal routine. The website owners\nwon&#8217;t notice either until they discover a problem with their metrics.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-preventing-dns-poisoning-attacks\">Preventing DNS Poisoning Attacks<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">On Feb. 1 of each year, various DNS software developers host a <a href=\"https:\/\/www.internetsociety.org\/blog\/2019\/02\/dns-flag-day\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">DNS Flag Day symposium<\/a> to address security issues and create compliance metrics to shore up problems with servers. However, they haven&#8217;t been able to do enough to keep up with new or revamped attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Preventing DNS attacks is important for two groups: users who want to avoid being spoofed, and sysadmins who want to protect their own site from this kind of attack. In this section, we\u2019ll give you methods for avoiding DNS cache poisoning from both perspectives. <\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-preventing-dns-cache-poisoning-as-a-system-administrator\">Preventing DNS Cache Poisoning as\na System Administrator<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s\nlook at the website administration side first. Since it&#8217;s often so hard for\nwebsite owners and administrators to detect DNS poisoning until after a lot of\ndamage is done, and exploits can be spread to every associated DNS once\nlaunched, prevention is the best cure.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-choose-your-platform-wisely\">Choose Your Platform Wisely<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The first place to start in preventing DNS poisoning is by choosing a secure hosting platform and content management system. If you don&#8217;t have the budget for a dedicated server, make sure that the hosting plan you choose has the most current encryption standards, DNS leak protection, SSL authentication, and a comprehensive back and restoration system. If you\u2019re using WordPress as a CMS, follow <a href=\"https:\/\/sectigostore.com\/blog\/wordpress-security-best-practices-tips-to-do-on-your-lunch-break\/\" target=\"_blank\" rel=\"noreferrer noopener\">basic security procedures<\/a> like two-factor authentication (2FA) and regular software updates.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-keep-your-dns-servers-up-to-date\">Keep Your DNS Servers Up to Date<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">In\naddition to choosing the right hosting platform for your security needs, you\nneed to keep your DNS server updated. Regardless of whether you\u2019re running\nBind, MicrosoftDNS, or another server, the latest version is always going to\nhave security patches and fixes installed as well as security standards like\nHSTS, DNSSec and Response Rate Limiting (RRL) to repel DNS attacks.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-use-dnssec\">Use\nDNSSEC<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Probably the single most important thing you can do to protect against DNS poisoning is to use DNSSec, which is critical for avoiding DNS cache poisoning. The standard has been strengthened in recent years with <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.networkworld.com\/article\/3298160\/how-to-protect-your-infrastructure-from-dns-cache-poisoning.html\" target=\"_blank\">features specifically designed to prevent this kind of attack<\/a>. It will verify the root domain (referred to as \u201csigning the root\u201d) whenever an end user attempts to access a site. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-audit-your-zones\">Audit Your Zones<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Many private DNS servers are loaded with old test domains and subdomains that are out of sight and mind. These are ripe for exploitation. You can monitor all zones, including hidden or forgotten ones, as well as all IPs and records using a tool like <a href=\"https:\/\/securitytrails.com\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Security Trails<\/a>. These types of tools allow you to catch possible vulnerabilities and prevent attacks before they happen.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-consider-forcing-https\">Consider Forcing HTTPS<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">With HSTS, you can force browsers to\nalways load your website on HTTPS. This helps you avoid DNS cache poisoning in\none key way: a hacker who creates a fake version of your website is unlikely to\nbe able to get a trusted SSL\/TLS certificate for your domain. This means that\nwhen visitors are directed to the hacker\u2019s fake version of your website,\nthey\u2019ll get a big security warning in their browser.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-preventing-dns-cache-poisoning-as-a-user\">Preventing DNS Cache Poisoning as\na User<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Users should also be aware of the dangers of DNS redirects, since this type of attack can fool you into entering sensitive details into fake websites. Here are a couple of ways you can avoid that: <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-mask-your-bind-version\">Mask Your Bind Version<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Hackers usually keep track of common flaws in various generations of commonly used platforms. They then use this information to break into networks or platforms that are using a particular version. By hiding software versions, you can make things just a little harder for hackers to perform DNS poisoning. If you\u2019re using the popular Linux-based DNS service, Bind, masking your Bind version is a good idea.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If Bind is your DNS software, all that\u2019s\nrequired for a hacker to get your version number is to perform a remote query\nusing this code: <strong>dig @ns1.server.com -c\nCH -t txt version.bind<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That would return an answer like this if\nthe Bind version is not hidden:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ANSWER SECTION:\nVERSION.BIND. 0 CH TXT \"named 9.8.2...<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To hide this information, go into your <strong>\/etc\/named.conf<\/strong> file and find the\nconfiguration block <strong>options { \u2026 }<\/strong>.\nThis leads you to a line that says <strong>version\n&#8220;BIND&#8221;;<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Change that line to say <strong>version &#8220;Forbidden&#8221;;<\/strong>, and\nthen save and close the file. You&#8217;ll have to restart Bind to apply the changes.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-check-the-browser\">Check the Browser<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">One fast way to know if your DNS has been hijacked is to look for your business name in the certificate details displayed by the browser. The ability to see the company name in the address bar is an indication that the website is authenticated by an <a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-view-ssl-certificate-details-in-chrome-56\/\">EV SSL\/TLS certificate<\/a>. Not all websites have an extended validation (EV) certificate, but the presence of the company name in the browser lets you know that it&#8217;s safe to proceed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"684\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/mouseover-ev-ui-1024x684.png\" alt=\"\" class=\"wp-image-11595\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/mouseover-ev-ui-1024x684.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/mouseover-ev-ui-300x200.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/mouseover-ev-ui-768x513.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/10\/mouseover-ev-ui.png 1089w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-final-thoughts\">Final Thoughts<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Your domain name is how your brand is identified on the internet. Protecting it from DNS poisoning attacks should be of the highest priority. Our goal is to provide you with actionable solutions that keep you from becoming the next <a href=\"https:\/\/www.thesslstore.com\/blog\/33-alarming-cybercrime-statistics-you-should-know\/\">cybercrime statistic<\/a> and potentially costing your site its reputation.<\/p>\n\n\n<span style=\"--tl-form-height-m:801.312px;--tl-form-height-t:638.344px;--tl-form-height-d:638.344px;\" class=\"tl-placeholder-f-type-shortcode_12763 tl-preload-form\"><span><\/span><\/span>","protected":false},"excerpt":{"rendered":"<p>How to protect your website against DNS cache poisoning attacks There are literally hundreds of exploits and several million viruses that could penetrate your network defenses. Going after them all&#8230;<\/p>\n","protected":false},"author":15,"featured_media":11996,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[2380],"class_list":["post-11995","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-dns","post-with-tags"],"views":23908,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/01\/dns-poisoning.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=11995"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11995\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/11996"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=11995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=11995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=11995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}