Malware Trivia: Episode 7

Hello everyone and welcome to another round of questions and answers

How to identify if the DNS cache is poisoned? As some of the phishing pages look exactly the same to the authentic one”¦ – Question asked by Chani

Detecting DNS cache poisoning attempts is pretty difficult and requires the use of a special tool called ncaptool, an instrument that statefully detects unsolicited responses by listening at the Network layer of a DNS cache server. What happens inside the tool is an intricate process, but the main idea is to compare the output of the DNS cache server (such as the one deployed into your organization or at the ISP level) with a response delivered by an authoritative name server (the one responsible for resolving queries in specific zones). If the responses are different, then the cached entry of the DNS server has been poisoned. Alternatively, you might want to run this simple, yet efficient web-based test developed by the DNS OARC (Domain Name System Operations Analysis and Research Center).

And more importantly, how to repair the problem if one finds to be victim of such an attack? ” Question asked by Chani

DNS poisoning attacks rely on a design vulnerability in the DNS protocol architecture that has been inherited in most implementations of the DNS services. Back in 2008, when the vulnerability was initially discovered, the protocol flaws have been patched and the vast majority of DNS servers have been updated.

If you however run the test and find your DNS server vulnerable to cache poisoning, you should immediately contact your ISP or network administrator and urge them to upgrade the DNS server to a version that is not vulnerable. Bear in mind that the DNS system is a critical piece of network infrastructure, as it is responsible for everything you do on the Internet, from sending mail to reading press or enjoying a IM conversation.