Security Best Practice: Protect Yourself against DNS Cache Poisoning
| Check Point Reference: | SBP-2007-08 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SmartDefense Research Center | |
| Industry Reference(s): | CVE-2007-2926 CVE-2004-1754 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? DNS clients | ||
| Vulnerability Description DNS cache poisoning occurs when false DNS records are injected into a DNS server's cache tables. Once the cache tables have been altered, a remote attacker may inspect, capture or corrupt any information exchanged between hosts on the network. By poisoning a DNS server, a remote attacker could, for example, direct users to malicious sites or prevent them from accessing web sites of their choice. |
||
|
Vulnerability Details Cache poisoning occurs when malicious or false data received from a remote domain name server (DNS) is cached by another name server. The cached data can then be requested by other programs through the client interface. As a result, the mapping between host names and IP addresses may be changed, which means that any information exchanged between hosts on a network may be inspected or corrupted by attackers. An example of a cache poisoning attack is the vulnerability detected in Symantec DNSd server, a DNS proxy that functions as a DNS server. DNSd included with Symantec Security Gateway products does not ensure that the data returned from a remote DNS server contains related information about the requested records. A remote attacker could insert a specially crafted DNS packet with false DNS records into the DNS cache tables. This will result in incorrect responses to legitimate DNS requests. |
Protection Overview
SmartDefense offers the following cache poisoning protections:
Scrambling
A host that initiates a DNS query assigns a Query ID number to each request. Given the ID number and source port, an attacker can send a spoofed reply that contains false information on behalf of the name server to which the request was initially sent. This enables the redirection of hosts to fake web sites that can be used to collect private user information. The protection can be applied either to all traffic or to specific servers.
By enabling this protection, SmartDefense will protect the corporate DNS server from cache poisoning by scrambling the source port and query ID number of each DNS request.
Drop Inbound Requests
An organizational name server may be subject to queries regarding zones that are not associated with the organizations domain. If this type of request is enabled, the DNS server will waste its resources on Internet queries that are not related to the organizations network. SmartDefense protection can prevent unauthorized inbound queries whose content is not a part of the name servers predefined zone. SmartDefense enables the creation of a list of DNS servers for which inbound requests for external domain information are rejected.
By enabling this protection, SmartDefense will prevent unauthorized inbound queries whose content is not a part of the name servers predefined zone. SmartDefense enables the creation of a list of DNS servers for which inbound requests for external domain information are rejected. Please note that in order for the protection to work properly, domains must be defined and assigned to the configured DNS servers.
Mismatched Replies
A mismatched reply occurs when a DNS response does not match any previous request. When a large number of mismatched replies occurs over a specific period of time, it can be assumed that the network has been corrupted. To protect against this, SmartDefense employs a threshold to detect mismatched replies. When the threshold limit is reached, the incidents of mismatched replies are logged and an alert is issued.
By enabling this protection, SmartDefense will employs a threshold to protect the network from Cache Poisoning. The threshold detects mismatched replies when more than a specific amount occurs over a specific amount of time.
Users are already protected against cache poisoning attacks if the DNS Cache Poisoning protection addressed in CPSA-2005-02 has been applied.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > DNS > Cache Poisoning.
2. Select the following protections:
Scrambling
Drop Inbound Requests
Mismatched Replies
3. In the configuration pane, under Settings > Mode, check Active.
4. The Scrambling and the Drop Inbound Requests protections can be applied either to all traffic or to specific servers.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack? When Drop Inbound Requests is enabled:
SmartView Tracker will log the following entries:
When Scrambling is enabled:
Attack Name: Invalid DNS
Attack Information: Out-of-state DNS reply
Attack Name: Invalid DNS
Attack Information: Unauthorized domain request
When Mismatched Replies is enabled:
Attack Name: Invalid DNS
Attack Information: Mismatched Replies
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > DNS > Cache Poisoning.
2. Select the following protections:
Scrambling
Drop Inbound Requests
Mismatched Replies
3. The Scrambling and the Drop Inbound Requests protections can be applied either to all traffic or to specific servers.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack? When Drop Inbound Requests is enabled:
SmartView Tracker will log the following entries:
When Scrambling is enabled:
Attack Name: Invalid DNS
Attack Information: Out-of-state DNS reply
Attack Name: Invalid DNS
Attack Information: Unauthorized domain request
When Mismatched Replies is enabled:
Attack Name: Invalid DNS
Attack Information: Mismatched Replies
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > DNS > Cache Poisoning.
3. Select the following protections:
Scrambling
Drop Inbound Requests
Mismatched Replies
4. The Scrambling and the Drop Inbound Requests protections can be applied either to all traffic or to specific servers.
5. Install security policy on all modules.
How Do I Know if My Network is Under Attack? When Drop Inbound Requests is enabled:
SmartView Tracker will log the following entries:
When Scrambling is enabled:
Attack Name: Invalid DNS
Attack Information: Out-of-state DNS reply
Attack Name: Invalid DNS
Attack Information: Unauthorized domain request
When Mismatched Replies is enabled:
Attack Name: Invalid DNS
Attack Information: Mismatched Replies
Connectra NGX R62 & R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Scrambling
Drop Inbound Requests
Mismatched Replies
3. Install policy on all modules.
How Do I Know if My Network is Under Attack? When Drop Inbound Requests is enabled:
SmartView Tracker will log the following entries:
When Scrambling is enabled:
Attack Name: Invalid DNS
Attack Information: Out-of-state DNS reply
Attack Name: Invalid DNS
Attack Information: Unauthorized domain request
When Mismatched Replies is enabled:
Attack Name: Invalid DNS
Attack Information: Mismatched Replies