What is DNS cache poisoning, and how can you prevent it?

DNS cache poisoning is a process in which hackers insert malicious information into a DNS cache. By doing so, a bad actor can redirect internet users to the wrong website. Individual devices and DNS servers both store DNS cache information, and both can be targeted by DNS cache poisoning.

A poisoned cache could force you to visit a hacker’s server, even if you used the correct URL to load a legitimate page. Once your device has been redirected in this way, the malicious server can infect it with ransomware and viruses.

While the result of cache poisoning is simple enough — a forced redirect to a website you didn’t want to visit — it’s important to understand how this attack actually works.

Let’s define our terminology. What is DNS, and how does DNS caching work? DNS stands for domain name system. It’s a process that allows URLs to be matched with the right IP addresses.

When you type www.google.com (for example) into your browser, your internet gateway (your router, in most cases) has to determine what IP address is associated with that URL. It sends a lookup request to a DNS server, and this server then tries to work out what IP address is being used for www.google.com at that moment.

The DNS server then sends the IP address back to your router, and you are able to load Google’s homepage. The whole process takes a matter of nanoseconds, but it can be even faster thanks to caching.

To speed up this process, the DNS server saves Google’s IP address in its DNS cache for a limited period of time. If someone else wants to open www.google.com during this period, the DNS server already has the IP address saved and doesn’t need to go through the process of finding it for them. This conserves time and processing power for the server.

Most DNS servers maintain a cache of IP addresses, linked with specific URLs. This is useful but can also leave them vulnerable to cache poisoning.

Cache poisoning occurs when a hacker tricks a DNS server into saving the wrong IP address into their cache. To understand this process, let’s go back to our Google example.

Your router sends a lookup request to a DNS server, and the DNS server starts querying other servers, trying to find out what IP address is linked to the url www.google.com. A query of this kind will be marked with a numerical signifier (for example, 1100) and the reply from the responding server will be marked with the same number.

Now imagine that a hacker bombards this DNS server with thousands of bogus responses, marked with a wide range of numerical signifiers. All these “responses” tell the DNS server that the IP address they’re looking for is the one associated with the hacker’s own malware-ridden server. The DNS server receives a response marked with the signifier 1100, assumes that it is a genuine reply to their query, and sends your router the hacker’s IP address, claiming that it is Google’s.

Not only will this attack cause your device to connect to a dangerous server full of malware, but the DNS server will now save this incorrect information in its cache. For potentially weeks afterward, anyone else who tries to reach www.google.com will get the same result because the cache contains incorrect information. In short, the DNS cache has been poisoned.

A DNS cache poisoning attack can be carried out at a client or server level. Many devices, including routers, have a DNS cache built into their operating systems, which can be hacked by a cybercriminal. Likewise, DNS servers are ideal targets, as discussed above.

The effect of poisoning is a DNS spoofing attack. As a result of cache poisoning, either on your own device or at the DNS server level, you could be forcefully redirected to the wrong page.

By the time you realize something’s gone awry, you could be on a malware-infested page, your device infected with dangerous viruses. Clearing or flushing your DNS cache regularly is one way to prevent this.

When a DNS cache is cleared, either on a server or on your own device, opening a website will prompt a new lookup request because there is no cached data to rely on.

You can clear the DNS cache on your own device, forcing it to send new requests for the IP addresses you need, but that won’t necessarily keep you safe from spoofing attacks unless the DNS server caches are also unpoisoned.

It can be hard to detect DNS cache poisoning, but you can look for a few indicators. On the client level, an unexpected redirection may be a sign of cache poisoning. Likewise, repeated 404 errors could indicate a problem with your DNS cache, though it may just be an error in the cache rather than deliberate tampering.

For the administrators of a DNS server, it’s even more important to guard against this risk. One sign that your server’s cache is poisoned could be an abnormal pattern in the user redirects to a particular IP address.

The simplest way to prevent DNS cache poisoning is to regularly flush DNS caches. If you are a DNS server administrator, waiting until the cache clears itself automatically could mean allowing a poisoned cache to persist for weeks and putting thousands of users at risk.

If you have a private DNS server, you should still be on your guard. Monitoring server performance and watching for possible indicators of compromise will help as well, but regularly flushing the cache is a sure way to limit the dangers of IP address poisoning.

DNS cache poisoning and DNS spoofing are not the same type of action, but they’re closely linked. DNS cache poisoning occurs after a DNS spoofing attack, when the server saves the spoofed IP addresses into its cache.

How does DNS spoofing work? To put it simply, a DNS spoofing attack involves the fake DNS query response process we’ve already discussed, and this will usually result in DNS cache poisoning. This poisoning then leads to more DNS spoofing.

DNSSEC (Domain Name System Security Extensions) is a system that verifies the integrity of DNS data and its origins. It corrects the fundamental security issue with DNS requests, which is that they have no built-in authentication process.

Though DNSSEC has not been widely adopted, it has a lot going for it. It uses public key cryptography and limits the risks of DNS spoofing (you can check out our article for a fuller cryptography definition). However, until it becomes the standard for all DNS servers, the risks posed by DNS cache poisoning remain.

In the meantime, there are still some steps you can take to protect yourself from the risks of DNS spoofing and cache poisoning. One important step for overall internet security is to start using NordVPN.

A VPN can boost your security and online privacy, but NordVPN offers special features that can help you with the specific problem of malware infection. NordVPN’s Threat Protection blocks access to websites that are known to host malware, so even if you’re redirected, you can still protect your device.

Threat Protection also blocks annoying ads and shields you from trackers, allowing you to stay safe and secure while browsing online.