Ketil Froyn

DNS Poisoning

UPDATE 2007-05-17: Due to migration of my site, the self poisoning test may not be working properly. I will update this page again when it is functional again.

For a description of DNS poisoning, read this. On this page I have set up a simple procedure where I will try to poison your DNS cache and take over the domain example.com (reserved by IANA for examples). To see if you can be poisoned, follow these simple steps:

  1. click on this link (it will fail with a DNS error, because that name doesn't have an address, but things will nevertheless happen in your caching DNS)
  2. click this link. If you see the page with a link to RFC 2606, you are probably safe
If you get to my "poisoned" page in the second step, someone could be stealing your bank account information just as easy as I did this. All it needs to work is one stray click...

What actually happens?

The link in step 1. points to http://bad.ketil.froyn.name/. My name server is authoritative for ketil.froyn.name, so your resolver will ask my name server what the IP for bad.ketil.froyn.name is. My response is to delegate bad.ketil.froyn.name to www.example.com, which is ok. In addition, the response includes the IP address for www.example.com. If your resolver trusts this, that is not ok.

The link in step 2. points to http://www.example.com/. If you were poisoned, you will arrive at the IP address I gave for www.example.com in step 1., rather than the correct IP for www.example.com. I have configured the web server at that IP to respond to www.example.com with a specific page, which contains a warning that you are vulnerable to poisoning. If it looked exactly the same, you would probably never have known.

(C), Ketil Froyn, 2003