DNS Cache Poisoning (also known as DNS Spoofing) is a clever and dangerous attack that manipulates the way computers find websites. Let’s break it down clearly.

🧠 What Is DNS?

The Domain Name System (DNS) is like the internet’s phone book. It translates human-friendly domain names (like example.com) into IP addresses (like 93.184.216.34) that computers use to locate each other.

💣 What Is DNS Cache Poisoning?

DNS Cache Poisoning is an attack where a hacker injects false DNS records into a DNS resolver’s cache. This causes users to be redirected to malicious sites even when they enter the correct domain name.

🧪 How It Works

1. DNS Lookup Begins:

   • A user types www.bank.com.
   • Their computer asks a DNS resolver for the IP address.

2. Attacker Interferes:

   • The attacker sends a forged DNS response with a fake IP address before the legitimate response arrives.

3. Cache Gets Poisoned:

   • The resolver stores the fake IP in its cache.
   • Future users asking for www.bank.com get sent to the attacker’s site.

4. Phishing or Malware:

   • The fake site may look identical to the real one.
   • Users may enter passwords, download malware, or expose sensitive data.

🎯 Why It’s Dangerous

🛡️ How to Prevent DNS Cache Poisoning

• Use DNSSEC:

  • DNS Security Extensions add cryptographic signatures to DNS records.
  • Helps verify authenticity of responses.

• Randomize Source Ports and Transaction IDs:

  • Makes it harder for attackers to guess and spoof responses.

• Limit Cache TTL:

  • Shorter Time-To-Live (TTL) values reduce the window for poisoning.

• Secure DNS Resolvers:

  • Use trusted and updated DNS servers.
  • Avoid open resolvers unless properly secured.

🧠 Real-World Example

In 2008, security researcher Dan Kaminsky discovered a major vulnerability in DNS that allowed attackers to poison caches at scale. His findings led to widespread changes in how DNS servers randomize requests and validate responses.

DNSSEC (Domain Name System Security Extensions) is a powerful upgrade to traditional DNS that adds authentication and integrity to DNS responses. Let’s walk through how it works and why it matters.

🔐 What Problem Does DNSSEC Solve?

Traditional DNS has no built-in security—it assumes that responses are trustworthy. This makes it vulnerable to attacks like:

• DNS Cache Poisoning
• Man-in-the-Middle Attacks
• Spoofed Responses

DNSSEC fixes this by ensuring that DNS responses are digitally signed, so clients can verify they came from the legitimate source.

🧠 How DNSSEC Works (Step-by-Step)

1. Zone Signing:

   • The domain owner generates a pair of cryptographic keys:
     • Private Key: Used to sign DNS records.
     • Public Key: Published in DNS so others can verify the signatures.

2. Signed Records:

   • DNS records (like A, MX, TXT) are signed using the private key.
   • The signature is stored in a special record called RRSIG.

3. Public Key Distribution:

   • The public key is stored in a DNSKEY record.
   • To prevent tampering, a DS (Delegation Signer) record is placed in the parent zone (e.g., .com for example.com).

4. Chain of Trust:

   • DNSSEC builds a chain of trust from the root zone (.) down to the domain.
   • Each zone vouches for the next using DS records.

5. Validation by Resolver:

   • When a DNSSEC-aware resolver receives a response:
     • It checks the RRSIG using the DNSKEY.
     • It verifies the DNSKEY using the DS from the parent zone.
     • If everything checks out, the response is trusted.

🔍 Example

Let’s say you query example.com:

• You get the A record: 93.184.216.34
• You also get an RRSIG: a digital signature of that A record
• Your resolver uses the DNSKEY to verify the RRSIG
• It checks the DS record in .com to verify the DNSKEY
• If all signatures match, the response is authentic

🛡️ Benefits of DNSSEC

⚠️ Limitations

• Doesn’t Encrypt: DNSSEC verifies authenticity, but doesn’t hide the data.
• Complex Setup: Requires careful key management and zone signing.
• Partial Adoption: Not all domains or resolvers support DNSSEC yet.