Check Point Advisories

Security Best Practice: Protect Yourself against DNS Cache Poisoning

Check Point Reference: SBP-2007-08
Date Published: 16 Aug 2007
Severity: High
Last Updated: 5 Apr 2009
Source: SmartDefense Research Center
Industry Reference:CVE-2009-0233

Protection Provided by:
Who is Vulnerable? DNS clients
Vulnerability Description DNS cache poisoning occurs when false DNS records are injected into a DNS server's cache tables. Once the cache tables have been altered, a remote attacker may inspect, capture or corrupt any information exchanged between hosts on the network. By poisoning a DNS server, a remote attacker could, for example, direct users to malicious sites or prevent them from accessing web sites of their choice.
Vulnerability DetailsCache poisoning occurs when malicious or false data received from a remote domain name server (DNS) is cached by another name server. The cached data can then be requested by other programs through the client interface. As a result, the mapping between host names and IP addresses may be changed, which means that any information exchanged between hosts on a network may be inspected or corrupted by attackers.

An example of a cache poisoning attack is the vulnerability detected in Symantec DNSd server, a DNS proxy that functions as a DNS server. DNSd included with Symantec Security Gateway products does not ensure that the data returned from a remote DNS server contains related information about the requested records. A remote attacker could insert a specially crafted DNS packet with false DNS records into the DNS cache tables. This will result in incorrect responses to legitimate DNS requests.

Protection Overview

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO