To understand this attack, let us first understand what is DNS i.e. Domain Names Servers.
Domain Name Servers (DNS) are the Internet’s equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses.
When you type in a web address, e.g., www.**.com, your Internet Service Provider views the DNS associated with the domain name, translates it into a machine friendly IP address (for example 18.104.22.168 is the IP for www.**.com) and directs your Internet connection to the correct website.
DNS poisoning is simply altering a particular entry in its cache i.e. when a user requests a website, the DNS entry would forward the traffic of the user where it is not intended to forward (malicious website). DNS poisoning like this can also spread. For example, if various Internet service providers are getting their DNS information from the compromised server, the poisoned DNS entry will spread to the Internet service providers and be cached there. It will then spread to home routers and the DNS caches on computers as they look up the DNS entry, receive the incorrect response, and store it.
- Breach of integrity
- Compromising the authentication method implemented
- Spreading of malware from fake websites
- Phishing attacks
- Implement DNSSEC
- Implement IDS and configure
- Configure firewall to restrict external DNS lookup
- Periodic monitoring of the name servers