DNS poisoning, also known as DNS hijacking, is a type of cyberattack where hackers manipulate DNS resolution records to redirect user requests to malicious servers. With the widespread adoption of the internet and continuous technological advancements, DNS poisoning has garnered increasing attention. Whether it's website traffic hijacking, the spread of phishing websites, or network performance degradation, DNS poisoning poses serious security risks to internet users and businesses.

　　What is DNS Poisoning?

　　DNS (Domain Name System) is a system that translates domain names into IP addresses and is one of the fundamental services of the internet. Users access websites by entering domain names (e.g., www.example.com), and DNS servers translate these into actual IP addresses, guiding data transmission paths. However, by manipulating DNS resolution records, hackers can redirect user domain name resolution requests to malicious servers controlled by attackers, potentially leading to users accessing fake websites, leaking personal information, or suffering man-in-the-middle attacks.

　　DNS poisoning primarily takes two forms:

　　DNS Cache Poisoning: Modifying records in the DNS server cache to redirect certain domain name resolutions to incorrect IP addresses.

　　DNS Hijacking: Controlling DNS servers to redirect user DNS requests to attacker servers.

　　When DNS poisoning occurs, users may encounter problems such as inability to access specific websites, slow access speeds, and data leaks. Timely detection and remediation of DNS poisoning is crucial for ensuring network security.

　　The five-step self-check process for detecting and remediating DNS poisoning:

　　Step 1: Confirm the existence of DNS poisoning

　　To remediate DNS poisoning, you first need to confirm whether the server has suffered from DNS poisoning. The following are commonly used DNS detection methods:

　　1. Use the `dig` command to perform a DNS query

　　The `dig` command can directly query the results of domain name resolution. If the result does not match the expected IP address, it may be caused by DNS poisoning.

dig example.com

　　Assuming example.com is a common website with a fixed IP address (e.g., 93.184.216.34), if the IP address returned by the query is different from the expected one, or if multiple queries return different IP addresses, then it can be identified as DNS poisoning.

　　2. Using nslookup for DNS verification

　　nslookup is another commonly used DNS lookup tool, similar in function to dig. Enter the following command in the command line:

nslookup example.com

　　If the returned IP address does not match the domain's actual IP address, or if the resolution results change frequently, this is also a sign of DNS pollution.

　　3. Check using online DNS tools

　　In addition to local command-line tools, you can also use third-party online DNS tools (such as DNSstuff, Whatsmydns, etc.) to query domain name resolution results. These tools provide DNS queries from multiple global nodes, which can help confirm whether DNS pollution exists.

　　Step Two: Check if the DNS configuration is correct

　　If DNS pollution is confirmed, the next step is to check the DNS configuration. First, confirm that the server's DNS server address is correct.

　　1. View the /etc/resolv.conf configuration file

　　On Linux servers, DNS configuration is usually stored in the /etc/resolv.conf file. You can view the current DNS configuration using the following command:

cat /etc/resolv.conf

　　Output example:

nameserver 8.8.8.8
nameserver 8.8.4.4

　　If the DNS server address you see is a public DNS, the server configuration is normal. If it's configured with an untrusted DNS server (e.g., an ISP-provided DNS server, especially if there's a risk of it being controlled by hackers), you may experience DNS poisoning.

　　2. Modify DNS Configuration

　　To avoid further DNS poisoning, you can modify the `/etc/resolv.conf` file to use a reliable public DNS server. An example of modification is shown below:

sudo nano /etc/resolv.conf

　　Modify the content to:

nameserver 8.8.8.8
nameserver 8.8.4.4

　　or：

nameserver 1.1.1.1 # Cloudflare DNS
nameserver 1.0.0.1 # Cloudflare DNS

　　Save the modified file and check if the new DNS configuration has taken effect.

　　Step 3: Enable DNSSEC (DNS Security Extensions)

　　DNSSEC is a technology that protects DNS query results from tampering by using digital signatures to ensure the integrity and authenticity of DNS responses. Enabling DNSSEC can effectively prevent DNS poisoning.

　　1. Check if DNSSEC is enabled

　　On a Linux server, you can check if DNSSEC is enabled using the `dig` command:

dig +dnssec example.com

　　If the returned result contains the AD (Authenticated Data) flag, it means that DNSSEC is enabled.

　　2. Enabling DNSSEC

　　If DNSSEC is not enabled, it can be enabled by configuring the DNS server. Assuming you are using bind9, you can enable DNSSEC with the following configuration:

sudo nano /etc/bind/named.conf.options

　　Add the following to the configuration file:

options {
    dnssec-enable yes;
    dnssec-validation yes;
};

　　Save and restart the bind9 service：

sudo systemctl restart bind9

　　Enabling DNSSEC protects DNS query results with digital signatures, significantly reducing the risk of DNS poisoning.

　　Step Four: Clear the DNS Cache

　　DNS poisoning not only affects current queries but can also cause poisoned resolution results to be cached and continue to impact access. Therefore, clearing the DNS cache is a crucial step in fixing DNS poisoning.

　　1. Clear the System DNS Cache

　　On Linux servers, the command to clear the DNS cache is typically:

sudo systemd-resolve --flush-caches

　　Or if you are using dnsmasq:

sudo systemctl restart dnsmasq

　　2. Clear Browser DNS Cache

　　Sometimes, browser DNS caches can be poisoned. Clearing the browser cache can help resolve access problems. Different browsers have different methods for clearing caches; the relevant option can usually be found in the browser's settings.

　　Step Five: Change DNS Server

　　If the above methods fail to completely resolve the DNS poisoning problem, or if you suspect that the DNS server you are using is being controlled by an attacker, consider using a more reliable DNS service.

　　1. Use a third-party DNS service. Many third-party DNS service providers offer high-speed and secure DNS resolution services.

　　2. Configure a local DNS server. If you want complete control, you can also set up your own local DNS server. bind9 and dnsmasq are commonly used open-source DNS server software that can be configured and managed as needed.

　　DNS poisoning is a significant issue in network security. It can lead to users accessing websites that are spoofed, resulting in data breaches or other security problems. This article introduces a five-step self-check and repair process to quickly detect and repair DNS poisoning, ensuring the security of servers and users. Be sure to regularly check your DNS configuration, enable DNSSEC to enhance security, and clear the DNS cache to ensure accurate access. For users who have the means, they can also choose to switch to a third-party DNS service to further improve the stability and security of the system.