>> A second common attack on DNS today involves poisoning and spoofing.If I'm at RIT, and I type www.edx.org into my browser URL bar,my browser will generate a DNS query for the RIT DNS server,to get the IP address of the website.The RIT DNS server will do the heavy lifting by asking one of the 13 route name servers,then it will ask an authoritative DNS server for the dot org top level domain,and finally it will ask the authoritative DNS server for edx.org.If I'm at home, and I type www.edx.org into my browser, that will cause my ISP's DNS serverto go down the chain and get the answer for me.If I'm using a public DNS server, like Google's 8888, or 8844, again,those servers would do the heavy lifting.Once the answer comes to either the RIT DNS server, my ISP's DNS server,or Google's public DNS servers, those servers cache the answers, so they don't haveto do the heavy lifting for subsequent queries.The field TTL, Time To Live, in the DNS portion of the UDP datagram,specifies how long records should be cached.This is not to be confused with the TTL in the IP header,which isn't even a measurement of time, but rather a hop count.The DNS TTL is set by the system's administratorof the authoritative DNS server that gave the answer.DNS cache poisoning, also known as DNS spoofing,is when an attacker sends unsolicited DNS answers to caching DNS servers.For example, if the cache on the RIT DNS server was changed to associate www.edx.orgwith a different IP address than the legitimate one, any downstream RIT client would be giventhat incorrect IP address upon request,and would be led to a site under control of an attacker.This site could be a phishing site, or contain an exploit kit.If that happened to an ISP cache, all ISP customers would be affected.If that happened to a route name server, or a TLD, authoritative DNS server, oh my,all ISP's and customers downwards would be affected.The false DNS records will even make their way to DNS caches on user machines.Furthermore.hackers could change the TTLs to really high valuesto keep those false entries in cache for a long time.China's great firewall blocks at the DNS level.For example, a website blocked in China, like www.twitter.com,will have an incorrect IP address associated with it on the Chinese DNS servers.It's an intentional, self-inflicted DNS cache poisoning attack.In 2010, a non-Chinese ISP configured its DNS servers incorrectly to fetch informationfrom DNS servers in China, and cached them locally.Other ISPs got their DNS information from that ISP, and used it on their DNS servers.The poisoned DNS entries spread quickly, and people in the United States of America,were blocked from accessing sites that included Twitter, Facebook, and YouTube.The best way to mitigate this type of attack is to make surethat the DNS responses are actually coming from the authoritative DNS servers.This is done through DNS SEC, which we'll explore in the next video.
转载于:https://www.cnblogs.com/sec875/articles/10028803.html
