DNS Cache Poisoning
- Ashish Khabde
Analytics
DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query. If the DNS server accepts the record, subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go to the attacker’s address. Cache poisoning attacks, such as the “birthday paradox,” use brute force, flooding DNS responses and queries at the same time, hoping to get a match on one of the responses and poison the cache.
The following table lists auto rules that Infoblox External DNS Security uses to mitigate DNS cache poisoning on your advanced appliance. For information about the parameters, see Overview of Packet Flow.
| Rule ID | Rule Type | Rule Name | Description | Enable/Disable Condition | Parameters | Comments |
|---|---|---|---|---|---|---|
| 100000100 | Auto | EARLY PASS UDP response traffic | This rule passes UDP DNS response packets (from upstream DNS servers or external DNS primaries) if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Always enabled | Packets per second (default = 30000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second to a smaller number if your system is serving authoritative DNS. NOTE: If you set the parameter incorrectly, the rule could block legitimate DNS responses from upstream DNS servers, which could cause the DNS server to exceed its quota. |
| 100000101 | Auto | EARLY PASS UDP response traffic no Question count | This rule passes UDP DNS response packets with Question count = 0 (from upstream DNS servers or external DNS primaries) if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Always enabled | Packets per second (default = 30000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second to a smaller number if your system is serving authoritative DNS. NOTE: If you set the parameter incorrectly, the rule could block legitimate DNS responses from upstream DNS servers, which could cause the DNS server to exceed its quota. |
| 100000200 | Auto | EARLY PASS TCP response traffic | This rule passes TCP DNS responses initiated by the appliance. | Always enabled | Packets per second (default = 100) | Consider raising the Packets per second value if DNSSEC is enabled. |
| 100000300 | Auto | EARLY PASS ACK packets from NIOS initiated connections | This rule passes TCP ACK packets for DNS or BGP from NIOS initiated connections if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Always enabled | Packets per second (default = 600) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider raising the Packets per second value if DNSSEC is enabled. |