Home > CAPEC List > CAPEC-142: DNS Cache Poisoning (Version 2.11)  

CAPEC-142: DNS Cache Poisoning

DNS Cache Poisoning
Definition in a New Window Definition in a New Window
Attack Pattern ID: 142
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

+ Attack Steps
  1. Explore resolver caches: Check DNS caches on local DNS server and client's browser with DNS cache enabled.

    Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.

    Figure out if the client's browser has DNS cache enabled.

  1. Attempt sending crafted records to DNS cache: A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.

    Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.

    If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction

    Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.

  1. Redirect users to malicious website: As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.

    Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.

    Man-in-the-Middle intercepts secure communication between two parties.

+ Attack Prerequisites
  • A DNS cache must be vulnerable to some attack that allows the adversary to replace addresses in its lookup table.

    Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances


In this example, an adversary sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is

Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address, the adversary floods local DNS with crafted responses with IP address The result is that is stored in DNS cache. Meanwhile, is associated with a malicious website www.maliciousexampsle.com

When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

To overwrite/modify targeted DNS cache

+ Resources Required

The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals.

+ Solutions and Mitigations

Configuration: Make sure your DNS servers have been updated to the latest versions

Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.

Configuration: Disable client side DNS caching.

+ Injection Vector

A vector specifically crafted to poison DNS cache, so that all traffic is redirected to an unintended destination.

+ Payload

DNS response

+ Activation Zone

DNS server cache

Client's browser DNS cache

+ Payload Activation Impact

Any local machine that types names of the good server is redirected to a malicious server. This attack assists pharming attack when victim is fooled into entering sensitive data into supposedly trusted locations. The adversary could also accept the incoming SSL connection, decrypts it, reads all the traffic, and makes the same request via SSL to the original site.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
+ References
[R.142.1] [REF-6] "Wikipedia". DNS Cache Poisoning. The Wikimedia Foundation, Inc. 2011-07-10. <http://en.wikipedia.org/wiki/DNS_cache_poisoning>.
[R.142.2] [REF-7] "DNS Threats and DNS Weaknesses". DNS Threats & Weaknesses of the Domain Name System. DNSSEC. <http://www.dnssec.net/dns-threats.php>.
[R.142.3] "Vulnerability Note VU#800113". US CERT. 2008-07-08. <http://www.kb.cert.org/vuls/id/800113#pat>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Related_Vulnerabilities, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017