Execution Flow
1) Explore
[Explore resolver caches] Check DNS caches on local DNS server and client's browser with DNS cache enabled.
Technique
- Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.
- Figure out if the client's browser has DNS cache enabled.
2) Experiment
[Attempt sending crafted records to DNS cache] A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.
Technique
- Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.
- If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction
- Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.
3) Exploit
[Redirect users to malicious website] As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.
Technique
- Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.
- Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties.
Prerequisites
A DNS cache must be vulnerable to some attack that allows the adversary to replace addresses in its lookup table.Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions.
Skills Required
To overwrite/modify targeted DNS cache
Resources Required
The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals.
Mitigations
Configuration: Make sure your DNS servers have been updated to the latest versions
Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.
Configuration: Disable client side DNS caching.
Related Weaknesses
CWE-ID |
Weakness Name |
CWE-348 |
Use of Less Trusted Source The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. |
CWE-345 |
Insufficient Verification of Data Authenticity The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
CWE-349 |
Acceptance of Extraneous Untrusted Data With Trusted Data The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. |
CWE-346 |
Origin Validation Error The product does not properly verify that the source of data or communication is valid. |
CWE-350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. |
References
REF-22
Wikipedia
http://en.wikipedia.org/wiki/DNS_cache_poisoning REF-23
DNS Threats and DNS Weaknesses
http://www.dnssec.net/dns-threats.php REF-27
Vulnerability Note VU#800113
http://www.kb.cert.org/vuls/id/800113#pat
Submission
Name |
Organization |
Date |
Date Release |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
Modifications
Name |
Organization |
Date |
Comment |
CAPEC Content Team |
The MITRE Corporation |
2017-01-09 +00:00 |
Updated Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2017-08-04 +00:00 |
Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Related_Vulnerabilities, Resources_Required |
CAPEC Content Team |
The MITRE Corporation |
2021-06-24 +00:00 |
Updated Execution_Flow |
CAPEC Content Team |
The MITRE Corporation |
2022-09-29 +00:00 |
Updated Related_Weaknesses, Taxonomy_Mappings |