DNS代表域名系统(Domain Name System),这有助于浏览器找出网站的 IP 地址,以便将其加载到您的计算机上。DNS 缓存(DNS cache)是您或您的ISP计算机上的一个文件,其中包含常用网站的 IP 地址列表。本文解释了什么是DNS缓存中毒和DNS欺骗。
DNS缓存中毒
每次用户在他或她的浏览器中键入网站URL时,浏览器都会联系一个本地文件( (URL)DNS 缓存(DNS Cache))以查看是否有一个条目可以解析网站的 IP 地址。浏览器需要网站的 IP 地址才能连接到网站。它不能简单地使用URL直接连接到网站。必须将其解析为正确的IPv4 或 IPv6 IP地址。如果记录在那里,Web 浏览器将使用它;否则它将去DNS服务器获取 IP 地址。这称为DNS 查找(DNS lookup)。
在您的计算机或ISP的DNS服务器计算机上创建(DNS)DNS缓存,以便减少查询(DNS)URL的(URL)DNS所花费的时间。基本上(Basically),DNS缓存是包含计算机或网络上经常使用的不同网站的 IP 地址的小文件。在联系DNS服务器之前,网络上的计算机会联系本地服务器以查看(DNS)DNS缓存中是否有条目。如果有,计算机将使用它;否则服务器将联系DNS服务器并获取 IP 地址。然后它将更新本地DNS使用网站的最新 IP 地址进行缓存。
DNS缓存中的每个条目都设置了时间限制,具体取决于操作系统和DNS解析的准确性。期限到期后,包含DNS缓存的计算机或服务器将联系DNS服务器并更新条目以确保信息正确。
但是,有些人可能会因犯罪活动而毒害DNS缓存。
毒化缓存(Poisoning the cache)意味着改变URL(URLs)的真实值。例如,网络犯罪分子可以创建一个类似于xyz.com的网站,并在您的(xyz.com)DNS缓存中输入其DNS记录。因此,当您在浏览器的地址栏中输入xyz.com时,后者将获取假网站的 IP 地址并将您带到那里,而不是真正的网站。这称为Pharming。使用这种方法,网络犯罪分子可以通过网络窃取您的登录凭据和其他信息,例如卡详细信息、社会保险号、电话号码等,以进行身份盗窃(identity theft)。域名系统(DNS)还进行中毒以将恶意软件注入您的计算机或网络。一旦您使用中毒的DNS(DNS)缓存登陆虚假网站,犯罪分子就可以为所欲为。
有时,除了本地缓存,犯罪分子还可以设置假DNS服务器,以便在查询时提供假 IP 地址。这是高级别的DNS中毒,会破坏特定区域中的大多数DNS缓存,从而影响更多用户。
阅读(Read about):Comodo Secure DNS | 开放DNS(OpenDNS) | 谷歌公共 DNS(Google Public DNS) | Yandex 安全 DNS(Yandex Secure DNS) | 天使 DNS。
DNS缓存欺骗
DNS spoofing is a type of attack that involves impersonation of DNS server responses in order to introduce false information. In a spoofing attack, a malicious user attempts to guess that a DNS client or server has sent a DNS query and is waiting for a DNS response. A successful spoofing attack will insert a fake DNS response into the DNS server’s cache, a process known as cache poisoning. A spoofed DNS server has no way of verifying that DNS data is authentic, and will reply from its cache using the fake information.
DNS Cache Spoofing听起来与DNS Cache Poisoning相似,但有一点区别。DNS 缓存欺骗(DNS Cache Spoofing)是一组用于毒化DNS缓存的方法。这可能是强制进入计算机网络服务器以修改和操作DNC缓存。这可能是设置一个虚假的DNS服务器,以便在查询时发送虚假响应。毒害DNS(DNS)缓存的方法有很多,其中一种常见的方法是DNS 缓存欺骗(DNS Cache Spoofing)。
阅读(Read):如何使用 ipconfig 查明您的计算机的 DNS 设置是否已被破坏。
DNS 缓存中毒 - 预防
可用于防止DNS 缓存(DNS Cache)中毒的方法并不多。最好的方法是扩展您的安全系统(scale up your security systems),这样任何攻击者都无法破坏您的网络并操纵本地DNS缓存。使用可以检测DNS缓存中毒攻击的良好防火墙。(good firewall)经常清除 DNS 缓存(Clearing the DNS cache)(Clearing the DNS cache)也是你们中的一些人可能会考虑的一种选择。
除了扩大安全系统之外,管理员还应更新其固件和软件(update their firmware and software)以使安全系统保持最新状态。操作系统应使用最新更新进行修补。不应有任何第三方传出链接。服务器应该是网络和Internet之间的唯一接口,并且应该位于良好的防火墙之后。
网络中服务器的信任关系(trust relations of servers)应该向上移动,这样它们就不会向任何服务器询问DNS解析。这样,只有拥有真正证书的服务器才能在解析DNS服务器时与网络服务器通信。
DNS缓存中每个条目的周期(period)应该很短,以便更频繁地获取和更新DNS记录。(DNS)这可能意味着连接到网站的时间更长(有时),但会减少使用中毒缓存的机会。
(DNS Cache Locking)在您的Windows(Windows)系统上, DNS 缓存锁定应配置为 90% 或更高。Windows Server中的(Windows Server)缓存(Cache)锁定允许您控制是否可以覆盖DNS缓存中的信息。(DNS)有关这方面的更多信息,请参阅TechNet。
使用DNS 套接字池(DNS Socket Pool),因为它使DNS服务器能够在发出DNS查询时使用源端口随机化。TechNet表示,这提供了针对缓存中毒攻击的增强安全性。
域名系统安全扩展 (DNSSEC)(Domain Name System Security Extensions (DNSSEC))是一套适用于Windows Server的扩展,可为(Windows Server)DNS协议增加安全性。您可以在此处(here)阅读有关此内容的更多信息。
您可能会对两种工具感兴趣(There are two tools that may interest you):F-Secure Router Checker将检查 DNS 劫持,WhiteHat Security Tool监控 DNS 劫持。
现在阅读:(Now read:) 什么是 DNS 劫持(What is DNS Hijacking)?
欢迎观察和评论。(Observation and comments are welcome.)
DNS Cache Poisoning and Spoofing - What is it?
DNS stands for Domain Name System, and this helps a browser in figuring out the IP address of a website so that it can load it on your computer. DNS cache is a file on your or your ISP’s computer that contains a list of IP addresses of regularly used websites. This article explains what is DNS cache poisoning and DNS spoofing.
DNS Cache Poisoning
Every time a user types a website URL in his or her browser, the browser contacts a local file (DNS Cache) to see if there is an entry to resolve the IP address of the website. The browser needs the IP address of the websites so that it can connect to the website. It cannot simply use the URL to directly connect to the website. It has to be resolved into a proper IPv4 or IPv6 IP address. If the record is there, the web browser will use it; else it will go to a DNS server to get the IP address. This is called DNS lookup.
A DNS cache is created on your computer or your ISP’s DNS server computer so that the amount of time spent in querying the DNS of a URL is reduced. Basically, DNS caches are small files that contain the IP address of different websites that are frequently used on a computer or network. Before contacting DNS servers, computers on a network contact the local server to see if there is an entry in the DNS cache. If there is one, the computers will use it; else the server will contact a DNS server and fetch the IP address. Then it will update the local DNS cache with the latest IP address for the website.
Each entry in a DNS cache has a time limit set, depending upon operating systems and the accuracy of DNS resolutions. After the period expires, the computer or server containing the DNS cache will contact the DNS server and update the entry so that the information is correct.
However, there are people who can poison the DNS cache for criminal activity.
Poisoning the cache means changing the real values of URLs. For example, cybercriminals can create a website that looks like say, xyz.com and enter its DNS record in your DNS cache. Thus, when you type xyz.com in the address bar of the browser, the latter will pick up the IP address of the fake website and take you there, instead of the real website. This is called Pharming. Using this method, cybercriminals can phish out your login credentials and other information such as card details, social security numbers, phone numbers, and more for identity theft. DNS poisoning is also done to inject malware into your computer or network. Once you land on a fake website using a poisoned DNS cache, the criminals can do anything they want.
Sometimes, instead of the local cache, criminals can also set up fake DNS servers so that when queried, they can give out fake IP addresses. This is high-level DNS poisoning and corrupts most of the DNS caches in a particular area thereby affecting many more users.
Read about: Comodo Secure DNS | OpenDNS | Google Public DNS | Yandex Secure DNS | Angel DNS.
DNS Cache Spoofing
DNS spoofing is a type of attack that involves impersonation of DNS server responses in order to introduce false information. In a spoofing attack, a malicious user attempts to guess that a DNS client or server has sent a DNS query and is waiting for a DNS response. A successful spoofing attack will insert a fake DNS response into the DNS server’s cache, a process known as cache poisoning. A spoofed DNS server has no way of verifying that DNS data is authentic, and will reply from its cache using the fake information.
DNS Cache Spoofing sounds similar to DNS Cache Poisoning, but there is a small difference. DNS Cache Spoofing is a set of methods used to poison a DNS cache. This could be a forced entry to a computer network’s server to modify and manipulate the DNC cache. This could be setting up a fake DNS server so that fake responses are sent out when queried. There are many ways to poison a DNS cache, and one of the common ways is DNS Cache Spoofing.
Read: How to find out if your computer’s DNS settings have been compromised using ipconfig.
DNS Cache Poisoning – Prevention
There are not many methods available to prevent DNS Cache poisoning. The best method is to scale up your security systems so that no attacker can compromise your network and manipulate the local DNS cache. Use a good firewall that can detect DNS cache poisoning attacks. Clearing the DNS cache frequently is also an option some of you may consider.
Other than scaling up security systems, admins should update their firmware and software to keep the security systems current. Operating systems should be patched with the latest updates. There should not be any third-party outgoing link. The server should be the only interface between the network and the Internet and should be behind a good firewall.
The trust relations of servers in the network should be moved up higher so that they do not ask just any server for DNS resolutions. That way, only the servers with genuine certificates would be able to communicate with the network server while resolving DNS servers.
The period of each entry in the DNS cache should be short so that DNS records are fetched more frequently and are updated. This may mean longer time periods of connecting to websites (at times) but will reduce the chances of using a poisoned cache.
DNS Cache Locking should be configured to 90% or greater on your Windows system. Cache locking in Windows Server allows you to control whether or not information in the DNS cache can be overwritten. See TechNet for more on this.
Use the DNS Socket Pool as it enables a DNS server to use source port randomization when issuing DNS queries. This provides enhanced security against cache poisoning attacks, says TechNet.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions for Windows Server that add security to the DNS protocol. You can read more about this here.
There are two tools that may interest you: F-Secure Router Checker will check for DNS hijacking, and WhiteHat Security Tool monitors DNS hijackings.
Now read: What is DNS Hijacking?
Observation and comments are welcome.