What is DNS cache?

The DNS cache (also known as DNS resolver cache) is a temporary DNS storage on a device (your computer, smartphone, server, etc.) that contains DNS records of already visited domain names (A records for IPv4 addresses, AAAA records for IPv6, etc.). It keeps those records, depending on their time-to-live (TTL). 

Each time you visit a website, its addresses will be saved inside this temporary database of records to facilitate a later revisit. 

Basically, the DNS cache is how your device is trying to save effort and time and skip a long DNS lookup by answering a DNS query with a DNS record that is already inside the temporary DNS cache. 

Why do we need a DNS cache?

We need DNS cache to get a faster response for DNS query for domain names that we have already visited recently in the past. 

Both the device that the user is using (his or her computer) and the multiple DNS resolvers that the request reaches, have DNS cache and they can resolve the domain if it is still in their cache memory. If not, the DNS query will need to follow the long way to the root server who will direct to the TLD servers and then they will direct to the authoritative name server for the domain name to finally get the answer.

What is TLD?

How does it work? 

Each time a user performs a DNS lookup, its device will first check inside the internal DNS cache that is part of the OS. There is a table of DNS records inside the DNS cache, their values, and the time they could be kept (TTL). The TTL value is set by the DNS administrator of each domain name, and it is the time limit that each DNS record has. After the time runs out, a new query is required. 

If the DNS query can be resolved from the DNS cache, the user will get their answer, and they can visit the site they desired. 

If not, the query will travel to a recursive DNS server. There are many DNS recursive servers out there. Like for example, there are inside your Internet Service Provider. They also have a cache that works in the same way. If the answer can be found there, the user will get it and resolve the domain. 

If not, the query will travel to an authoritative nameserver to get the answer. 

When it gets the answer, the DNS record or records will be saved in each of the DNS caches of the recursive DNS servers on the way and inside the user’s device, too, for the period that the TTL value indicates. 

Next time a new query starts for the same domain name, your device will repeat the process. If not so much time has passed, there is a high chance that the DNS record your device needs is still inside this temporary memory, and the query gets answered instantly. 

Types of DNS Caches

DNS caches operate at multiple levels in the network to speed up domain name resolution and improve performance. The main types include:

Browser DNS Cache: Web browsers like Chrome and Firefox maintain their own DNS caches to speed up browsing. This allows them to bypass the operating system’s cache and external DNS servers for previously visited sites. Browser caches can be cleared manually or typically reset when the browser is closed.

Operating System DNS Cache: The OS on your device caches DNS records for faster access during subsequent queries. If a record is found in the OS cache, it’s used immediately; if not, the query is forwarded to an external DNS resolver. This cache is more persistent than the browser’s and can be flushed using command-line tools.

ISP DNS Cache: ISPs maintain their own DNS caches to serve multiple users. When you query a domain, the ISP’s resolver checks its cache first. If the record is available, it’s returned quickly; otherwise, the resolver retrieves it from an authoritative DNS server.

Recursive DNS Server Cache: Recursive DNS servers, whether from ISPs or third-party services, cache records they retrieve from authoritative DNS servers. These cached records are used to answer subsequent queries, reducing the need to access the authoritative servers frequently and speeding up resolution.

How do I check my DNS cache?

You can see the DNS cache of your device with a very easy command on Windows, a bit harder on macOS and Linux.

Windows

1. Open the Command Prompt application by pressing windows+R.
2. Write cmd and press Ok.
3. Inside it, write the following command “ipconfig /displaydns”, and you will see all the DNS records of the sites you have visited. 

macOS

1. You will need to open the Console application.
2. There you will enter the following “any:mdnsresponder”.
3. Now go and open the Terminal application and enter the following command “sudo killall -INFO mDNSResponder”. You will be asked for your password. After that, you will need to get back to the Console application, and you will see the list of DNS records. 

Linux

There was no OS-level DNS caching, so it is a bit harder to display it. Depending on the software you are using, you might find a way to see it. For example, if you are using NSCD (Name Service Caching Daemon), you can see the ASCII strings from the binary cache file. It is located in /var/cache/nscd/hosts, so you can run “strings /var/cache/nscd/hosts” to display it.

If you are using Ubuntu 20.10, Fedora 33, or later, Systemd is responsible for the DNS. 

1. First, open the Terminal and write this command “sudo killall -USR1 systemd-resoved”.
2. Then run another command to export the log message to a basic .txt file with this command “sudo journalctl -u systemd-resolved > ~/dns-cache.txt”. 
3. Wait until the file is created and then open it with “less ~/dns-cache.txt.

Flush (clear) DNS cache

You can flush the DNS cache and that way to delete all of the DNS records from the local cache in your OS or web browser. Both can have different caches, so you will need to delete them both. 

Deleting the DNS cache might resolve problems with the domain resolution of a site or any other problem related to the outdated DNS records still in your cache. 

Cleaning it will also hide the list of the visited sites on a DNS level. That way, you can hide sites that you don’t want to show you visited. 

It can also be useful if you have any suspicion of DNS poisoning. In case somebody manipulated a DNS record in your DNS cache, deleting it will eliminate the potentially dangerous records. 

The negative part of clearing the DNS cache is that you will need to obtain the IP addresses of all websites that you need again. No site you recently visited will be saved after the DNS flush, and the first DNS resolution for each site will take longer. 

Let’s explore how to flush the DNS on different OSes and browsers. Remember, you will need to clean it both on OS level and browser level. 

Windows 

The process of flushing the DNS in Windows is straightforward. 

1. Open the Command Prompt application and type the following command: “ipconfig /flushdns”.
2. Upon successful clearance, you will see a confirmation message: “Windows IP Configuration. Successfully flushed the DNS Resolver Cache “. 

macOS 

1. On macOS, to delete the DNS cache, you will need first to open the Terminal application. 
2. Then you will need to enter this command “sudo killall -HUP mDNSResponder”, press Enter and write your password. You will also need to clear the DNS cache of the browser you are using. Check Safari if it is your choice. 

Linux 

There is no DNS caching by default on all of the Linux distros. 

If you are on the latest Ubuntu 20.04 LTS or later, you can open the Terminal application and execute the following command “sudo systemd-resolve –flush-caches”. You will need sudo privileges to do it. 

NCSD. If you are using NCSD, you will need to perform this command inside the Terminal “sudo /etc/init.d/nscd restart”. You will need to confirm your password for the command. 

DNSMASQ. The command for dnsmasq DNS cache is “sudo /etc/init.d/dnsmasq restart”, followed by password typing. It will restart the service. 

BIND. In the case of BIND, you will need a few commands: “sudo /etc/init.d/named restart”, then “sudo rndc restart”, and finally “rndc exec”. With that, you have to finish the DNS flushing. 

Google Chrome 

You need to put the following in the address bar “chrome://net-internals/#dns”. Then click on Clear host cache. IF you are using Edge, change chrome to edge from the previous text, and if you are using Opera change it to opera. 

Firefox 

1. Find the icon with 3 lines located on the top right corner and open Firefox’s menu.
2. Then search for Options (preferences). 
3. Inside it, you will see Privacy & Security. Click on it.
4. Go to History and click on Clear History by selecting Everything.
5. Finally, Clear Now. 

Safari 

1. First, Open the Safari browser.
2. There navigate to Preferences > Advanced. 
3. Click on “Show develop menu in menu bar”. 
4. Then go to the menu bar, Develop > Empty Caches. The shortcut is ⌥⌘E. You will need to restart the browser in the end. 

What are the reasons to flush DNS? 

There are various circumstances where flushing your DNS cache might be necessary, primarily related to security issues, technical glitches, or safeguarding personal data. Here are some of the main reasons.

1. You want to protect against DNS spoofing

DNS spoofing (DNS cache poisoning), is a type of attack where cybercriminals manipulate the information in your DNS cache to reroute you to incorrect websites. In some instances, they may lead you to a fake site that looks like the site you intended to visit, hoping you’d unknowingly provide sensitive data like your online banking credentials.

2. You receive a 404 error not found

Suppose you’ve stored the DNS data of a website, which later changes its domain or host. If so, it’s possible your locally stored DNS data may not get refreshed instantly, causing you to receive HTTP status code for Error 404: Not Found or see outdated versions of the site. While your DNS cache will ultimately be updated, you can expedite the process by clearing your DNS cache at your convenience. 

Suggested article: What are HTTP status codes 301 and 302 Redirects?

3. You see outdated information

Changes to DNS records might take 24 to 48 hours to spread across all global servers. This process is known as DNS propagation. Due to this, cached information may become old and lead to problems with websites or apps. Websites may not display correctly or may show old images and text. Cleaning your browser’s cache can help, but it’s not always a complete fix. 

4. You wish to maintain the privacy of your browsing activity

Most people associate internet user tracking with cookies. However, your DNS cache, which functions like a digital directory, storing data of your frequently visited websites, can also expose your online behavior. Regularly flushing your DNS cache is a proactive measure to prevent your browsing history from being accessible to data gatherers or potential online threats.

DNS spoofing (DNS cache poisoning)

As we explained, DNS spoofing is a malicious attack that aims to edit or replace DNS records inside the DNS cache of the targeted device (server or personal computer). The new or modified DNS records have changed data like the IP address, and they will resolve the domains to the new IP addresses. That way, the attackers can direct the traffic to a fake site, where they can steal the users’ personal data. Everything happens in the background, so if the fake site where the user is redirected really looks like the original, it is easy to cheat the user and get the result. 

The DNS spoofing can happen with a spam message that has an executable code that can perform the injection. 

Another way is the man-in-the-middle attack, where the bad actor is in the middle between the user and a DNS resolver. It passes modified information, pretending to be sending normal packets of data. The user gets DNS records from the attacker. 

A user can evade such an attack by using a VPN for encrypted communication, not clicking on suspicious messages, and opening infected attachments.

 Conclusion 

The DNS cache is a useful method of saving resources, both on your local system and on multiple servers. It is a fast method of DNS resolution that saves time for everybody. Yes, it is a target for DNS poisoning attacks, but there are various methods to protect the DNS cache. 

The post DNS cache explained  appeared first on ClouDNS Blog.

DNS spoofing a.k.a. DNS poisoning is so popular that you can find plenty of DNS spoofing tutorials using Kali distribution of Linux, but we are on the good side, and we won’t show you that. We will explain to you why there is such a threat and how you can protect yourself.

DNS Spoofing – Definition

In 2008, security researcher Dan Kaminsky unveiled a severe flaw in the DNS protocol that left many Internet domains susceptible to poisoning attacks. This disclosure shook the internet community, prompting immediate action and leading to widespread deployment of security patches. Recognizing past vulnerabilities allows us to be vigilant and learn from historical mistakes.

DNS Spoofing appears when the IP address (IPv4 or IPv6) of a domain name is masked and falsified. The information is replaced with a faked one, from a host that has no authority to give it. It occurs and disturbs the normal process of DNS resolution. As a result, the user’s device is connecting with a bogus IP address, and all of the traffic is directed to a malicious website. Additionally, the victim is not able to notice the forgery because the DNS resolution is a process that happens behind the scenes. 

The fake DNS data (DNS records) takes place in the Recursive DNS server cache, which results in the name server answering with a false IP address. Such attacks take advantage of vulnerabilities in name servers and shift the traffic towards fake web pages. Those fake websites are visually very similar to the real ones, and people don’t even understand the difference. In this process, personal data can be stolen.

As we mention above, the Recursive DNS server has an essential role in the DNS resolution process. Let’s explain a little bit more about it. Here are two functions that you should be familiar with:

DNS caching

To save time and better divide the load, in the DNS there are recursive DNS servers. They have a cache, local saved information about the domains that temporarily stays in them.

Forwarding

Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can forward some or all of the queries that are not satisfied from its cache to another caching name server, commonly referred to as a forwarder.

Methods of DNS Spoofing

There are various different methods of DNS Spoofing. Here are some of the most popular ones:

Spoofing the DNS responses

This method is a form of a Man-in-the-Middle (MITM) attack. In this one, the attacker is guessing the manner in which the DNS generates its query ID and sends a fake response with the IP address he/she wants.

In the majority of cases, the cybercriminal pretends to be the victim’s DNS server and sends malicious responses. The chance for initiating such a type of attack is based on the fact that DNS traffic operates with the User Datagram Protocol (UDP). That way, it is not possible for the victim to confirm the authenticity of the DNS response. 

DNS cache poisoning

DNS cache poisoning or also known just “cache poisoning,” is another cyber attack that cybercriminals commonly initiate. It involves placing a bogus IP address in the cache memory of the devices of the users. That way, the target victim device is going to lead the user to that bogus IP address automatically. It includes sending to the DNS servers wrong mapping information with high TTL. The information is saved for a long time so the server can give the fake answer for a long time.

Learn everything about the DNS Cache!

Moreover, each further DNS request to the DNS servers with this cached, malicious information is going to direct to the bogus IP address. Such a threat is going to remain until the entry is pulled from the DNS cache. However, there is a security mechanism called DNSSEC which can be implemented to improve the protection of your DNS.

DNS Hijacking

DNS Hijacking is one of the most complex DNS attacks out there. The cybercriminal hijacks a legitimate DNS server and takes control of it. Then, he or she makes some modifications to the DNS information (DNS records). That way, the fake DNS data pushes every user who reaches that website’s IP address to get sent to the falsified website. That is why encryption is especially important for the overall protection of your information.

Example of DNS Spoofing

Most commonly, attackers utilize premade tools to complete a DNS Spoofing attack. Typically, it is performed in any location with connected devices, yet the main targets are locations with free public Wi-Fi. They are usually poorly secured and misconfigured. That gives the cybercriminal a great opportunity to complete the malicious attempt. Therefore, it is best if you consider using only secure Wi-Fi networks.

Here is an example of DNS Spoofing and the basic steps that the cybercriminal completes:

1. The attacker uses arpspoof to trick the target device of the user and point it to the attacker’s machine. So, when the user writes the domain name into the browser, it is going to be misguided. As a result, the cache of the user device is poisoned with forged data.
2. The attacker creates a DNS server on a device under his or her control. That way, the attack proceeds by rewriting the DNS records for the target domains.
3. The cybercriminal established a website that imitates a legitimate one on a local malicious device. Despite the fact it looks and feels legit, such a website is created for phishing purposes.
4. When the victim tries to establish a connection and open such a website, it receives the IP address provided by the attacker’s DNS server. As a result, the victim opens the phishing website instead of the legitimate one.
5. Lastly, the threat actors steal information from their victims on the network by tricking them. Commonly, that is performed by them entering their sensitive information into the fake website pages.

Suggested article: Linux Host command, troubleshot your DNS

The Impact of DNS Spoofing: Consequences and Risks

• Misdirection to malicious websites: Users are directed to fraudulent sites designed to steal sensitive information, often indistinguishable from genuine ones.
• Data theft and privacy breaches: Attackers can capture personal details and login credentials, leading to identity theft and potential financial repercussions.
• Spread of malware: Victims are at risk of malware infections when they’re redirected to malicious sites, compromising their devices.
• Phishing attacks: By mimicking genuine domains, attackers craft convincing phishing attempts, duping victims into sharing confidential data.
• Loss of trust and reputation damage: For businesses, a DNS spoofing incident can result in significant reputational harm and a decline in customer trust.
• Financial consequences: Both individuals and businesses might face direct financial losses, coupled with the costs of damage control and cybersecurity enhancements post-incident.

Common Vulnerabilities that Lead to DNS Spoofing Attacks

DNS spoofing attacks often exploit various vulnerabilities within the DNS infrastructure. One primary weakness is unsecured DNS servers, which become easy targets for attackers when left with default settings. The absence of DNSSEC (Domain Name System Security Extensions) is another critical vulnerability. Without it, DNS responses cannot be verified for authenticity, leaving them open to manipulation.

Weak or misconfigured DNS cache settings also pose significant risks, as they can be poisoned with malicious records, redirecting users to fraudulent websites. Insecure network configurations, especially on public Wi-Fi, further expose systems to man-in-the-middle attacks. Outdated software on DNS servers and related devices makes it easier for attackers to exploit known vulnerabilities.

The lack of monitoring allows spoofing attacks to go unnoticed, causing prolonged damage. Poorly configured firewalls, access controls, and insecure DNS forwarding also contribute to the risk. Finally, human errors and social engineering tactics often play a role in successful DNS spoofing attacks.

Addressing these vulnerabilities through regular updates, security audits, and robust configurations is essential to prevent DNS spoofing and secure DNS operations.

How to protect from DNS spoofing?

There are few different things that you can do to protect from those attacks:

• DNS over HTTPS (DoH) and DNS over TLS (DoT): These protocols encrypt your DNS requests, ensuring that attackers can’t view or modify them.
  Understanding DoT and DoH
• Use DNSSEC – Domain Name System Security Extensions checks the data authenticity with digitally signed DNS records.
• Internal DNS Servers: Establishing a secure internal DNS server setup can add an extra layer of protection. Ensure regular security audits to keep it foolproof.
• Implement DNS filtering. It will block malicious IPs or domains from connecting to your system.
• Use IPSec – IPSec uses encryption to secure communication over IP networks, enhancing data flow between hosts and networks.
• Detection mechanisms. You can use monitoring software to detect it. Using such a program, you can be sure that it will alert you if it detects some suspicious traffic which can be DNS spoofing.
• Always use a secure connection. Use encryption via SSL or TLS to verify the certificate of the website you want to visit.
  What is an SSL certificate?
• Employee Training: Periodic training sessions can help employees recognize and report potential cyber threats, reducing the chance of a successful attack.

Conclusion

We should be cautious where we go on the internet and what emails we are opening. Even the slightest difference, like the missing of the SSL certificate, should immediately trigger us to double check the website we want to visit.

The post DNS Spoofing (DNS poisoning) appeared first on ClouDNS Blog.

How to check the TTL using Windows OS?

You will need to open the Command Prompt as an administrator. From there, you need to use the nslookup. Write this on the command line “nslookup -type=soa www.cloudns.net”. You will get an answer from the authoritative server with the TTL.

You can change the type of the record and look it up for A, AAAA, MX or another type.

How to check the TTL using Linux OS and Mac OS?

You will need to use the dig command.

“dig a cloudns.net” This will give you a long answer. If you want just the TTL, you can try dig +nocmd +noall +answer +ttlid a www.cloudns.net

You can check the different DNS records by changing the text on the last before the domain. For example for AAAA records it will be: dig +nocmd +noall +answer +ttlid aaaa www.cloudns.net and for the MX it will be: dig +nocmd +noall +answer +ttlid mx www.cloudns.net

The previous answers are provided by the recursive servers. If you want to ask directly an authoritative nameserver you should add “+trace” after the “dig” and it will look like this: dig +trace +nocmd +noall +answer +ttlid aaaa www.cloudns.netTTL for different DNS records

• If you want to setup different TTL for every single record you can use our Anycast DNS network!

Easy way to check the SOA TTL value

Now, let’s see how to check the SOA TTL value, which is important for understanding the duration DNS records are cached and how quickly changes are propagated across the internet. For this purpose, we will use the ClouDNS Free DNS tool, a straightforward and effective solution for DNS management and analysis.

1. Access ClouDNS Free DNS Tool
Navigate to the ClouDNS website and locate their Free DNS Tool. This tool is specifically designed for conducting DNS audits and other DNS-related inquiries.

2. Enter the domain name
In the Free DNS Tool interface, you’ll find a field to input the domain name you wish to investigate. This is where you type in the full domain (for example, “cloudns.net”). It’s crucial to ensure the domain name is entered correctly to get accurate results.

3. Choose DNS audit and Select DNS resolver
Once the domain is entered, you need to specify the type of inquiry you’re making. Select “DNS audit” from the available options. Then, choose a DNS resolver. Typically, you might have options like Cloudflare, Google, etc. The choice of DNS resolver can influence the results, as different resolvers might have different cached data.

4. Review the results
After initiating the audit, the tool will process your request and display the results. In these results, look for the SOA (Start of Authority) record section. This part of the report will include information about the primary nameserver, the responsible party for the domain, and various timers related to the domain’s DNS records.

Most importantly, locate the “Default TTL” value within the SOA record section. This number, typically shown in seconds, is the SOA TTL value for the domain. It indicates the duration for which DNS records are cached by resolvers.

Shorter or longer TTL?

Many clients prefer to set the TTL to a long period like 2 days (172 800 seconds). This will reduce the load on the DNS servers, because the queries need to be done less frequently. This can be good if you have a very limited DNS plan, but your clients won’t be happy about it. Make your clients’ experience better, with lower TTL and frequently updated records.  Shorter TTL is useful if you have a very dynamic environment.

A and AAAA records. You can set it as low as 60 seconds if you really need your clients to get the latest update, but we recommend to have it around 1-2 hours to reduce the load on the servers. You can put it as long as 12 hours or a whole day.

SOA record. Unlike other DNS records, SOA controls the speed of DNS updates. A longer TTL (e.g., 48 hours) delays updates but reduces server load. A shorter TTL (e.g., 2 hours) speeds up updates but increases server queries. Choose based on your update frequency and server capacity.

CNAME record. If you need to deliver a lot of content to different parts, you can lower the TTL but in normal conditions you can leave it to 12 hours

MX record. System that have a static IP (it doesn’t change) can put 1800 seconds or more, but the rest with dynamic IP must keep the TTL low.

TXT record. This one you don’t change a lot, so you can set it up to 12hours.

You can experiment with the TTL to see which suits you best. Remember the lower it is, the more often the recursive servers will update the information which is good for your clients. But this will signify a bigger load on your servers and more queries. You should see the results and think if you want to move to a lower or to a higher DNS plan.

30-day Free Trial for Premium Anycast DNS hosting

The post TTL and how to check TTL appeared first on ClouDNS Blog.