December, 2022

By Gavin Devetaz, Information Security Analyst

In the present day and age, most employees know that they should not use their company internet for non-business purposes. Most organizations require their employees to read and sign an Acceptable Use Agreement to ensure that they understand what websites can and cannot be accessed. They will also use firewalls and other software solutions to monitor and control what websites employees are accessing. Blocking known malicious sites provides a great preventative measure for a variety of cybersecurity incidents, such as data exfiltration or introduction of malware to systems. Even with these filters and monitoring in place, there is another avenue that attackers can use to fool your employees. If an organization does not have their network configurations set properly, an outside attacker can snoop and discover the domains of all the websites that employees of the organization have visited. With this information, an attacker could use this information to spoof trusted sites that your employees use every day. In this article, we will break down how this attack works, the possible consequences, and how to prevent it.

This attack targets an organization’s DNS server, which operates on port 53 using TCP and UDP. DNS servers are crucial for business functions because they allow users to search websites without knowing their exact IP address. Chances are most employees don’t know the IP address for the websites they frequent such as Google (8.8.8.8 by the way), so they use a DNS server to access these sites. Simply put, when an employee enters a website domain into their search bar, such as “www.website.com”, a DNS query is formed by the DNS server behind the scenes, which resolves it into it’s appropriate IP address. The DNS server takes these queries and caches them into a temporary storage location. By caching the data, the DNS server can operate more efficiently, because when that same website is accessed, the DNS server does not have to make a full lookup. Instead, it references to the cache and accesses the IP address much more quickly, reducing bandwidth and CPU consumption. However, if a DNS server is not configured properly, this cache becomes accessible, and therefore very troublesome for an organization. When a malicious attacker leverages this information, we call it a DNS cache snooping attack.