Check Point Advisories

Security Best Practice: Protect Yourself against DNS Cache Poisoning

Check Point Reference: SBP-2007-08
Date Published: 16 Aug 2007
Severity: High
Last Updated: Sunday 05 April, 2009
Source: SmartDefense Research Center
Industry Reference:CVE-2009-0233
CVE-2009-0234
CVE-2008-1447
CVE-2008-0087
CVE-2007-3898
CVE-2007-2926

CVE-2004-1754
Protection Provided by:
Who is Vulnerable? DNS clients
Vulnerability Description DNS cache poisoning occurs when false DNS records are injected into a DNS server's cache tables. Once the cache tables have been altered, a remote attacker may inspect, capture or corrupt any information exchanged between hosts on the network. By poisoning a DNS server, a remote attacker could, for example, direct users to malicious sites or prevent them from accessing web sites of their choice.
Vulnerability DetailsCache poisoning occurs when malicious or false data received from a remote domain name server (DNS) is cached by another name server. The cached data can then be requested by other programs through the client interface. As a result, the mapping between host names and IP addresses may be changed, which means that any information exchanged between hosts on a network may be inspected or corrupted by attackers.

An example of a cache poisoning attack is the vulnerability detected in Symantec DNSd server, a DNS proxy that functions as a DNS server. DNSd included with Symantec Security Gateway products does not ensure that the data returned from a remote DNS server contains related information about the requested records. A remote attacker could insert a specially crafted DNS packet with false DNS records into the DNS cache tables. This will result in incorrect responses to legitimate DNS requests.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK