CAPEC-142 DNS Cache Poisoning – Attack Pattern Analysis

CAPEC-142 Metadata

Likelihood of Attack

High

Typical Severity

High

Overview

Summary

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

Prerequisites

A DNS cache must be vulnerable to some attack that allows the adversary to replace addresses in its lookup table.Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions.

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Explore resolver caches] Check DNS caches on local DNS server and client's browser with DNS cache enabled.	Run tools that check the resolver cache in the memory to see if it contains a target DNS entry. Figure out if the client's browser has DNS cache enabled.
2	Experiment	[Attempt sending crafted records to DNS cache] A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.	Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID. If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.
3	Exploit	[Redirect users to malicious website] As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.	Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion. Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties.

Potential Solutions / Mitigations

Configuration: Make sure your DNS servers have been updated to the latest versions Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet. Configuration: Disable client side DNS caching.

Related Weaknesses (CWE)

CWE ID	Description
CWE-345	Insufficient Verification of Data Authenticity
CWE-346	Origin Validation Error
CWE-348	Use of Less Trusted Source
CWE-349	Acceptance of Extraneous Untrusted Data With Trusted Data
CWE-350	Reliance on Reverse DNS Resolution for a Security-Critical Action

Related CAPECs

CAPEC ID	Description
CAPEC-89	A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.
CAPEC-141	An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

CAPEC ID

Description

CAPEC-89

A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.

CAPEC-141

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1584.002	Compromise Infrastructure: DNS Server

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.