Exam 312-50v11 topic 1 question 201 discussion

The C is the correct. Page 1182.

Yes, is right, the first step is that the attacker needs to know the address of the nameserver

Answer is C: - The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer. - The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker's response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success. - If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website

C is the right answer

Correction the answer is A.

Please stop arguing about the wrong answer. The answer to this question is C. Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a DNS resolver, and then forging the reply when the DNS resolver queries a nameserver.

1. Recursive nameservers, also known as DNS resolvers https://blog.apnic.net/2022/03/14/the-multiple-meanings-of-nameserver-and-dns-resolver/ 2. How DNS Spoofing (Cache Poisoning) works https://www.infoblox.com/glossary/dns-cache-poisoning/

C https://www.varonis.com/blog/dns-cache-poisoning Kaminsky’s exploit is a variation of the birthday attack presented at BlackHat 2008. First, the attacker sends a target resolver a DNS query for a non-existent domain, like “fake.varonis.com.” The resolver then forwards the query to the authoritative name server to get the IP address for the false sub-domain. At this point, the attacker floods the resolver with a huge number of forged responses, hoping that one of those forgeries matches the transaction ID of the original query.

correct answer: D. DNS cache poisoning, also known as DNS spoofing, is a technique used by hackers to manipulate the DNS (Domain Name System) cache data on a DNS resolver. The objective is to deceive the resolver into associating a domain name with an incorrect IP address, thereby redirecting traffic to a malicious website or server. The first step in a DNS cache poisoning attack is for the attacker to forge a reply from the DNS resolver. The attacker crafts a DNS response packet that appears to come from a legitimate DNS resolver, containing a fake mapping between a domain name and an IP address. The forged reply is designed to convince the target's DNS resolver to store the incorrect mapping in its cache. Once the DNS resolver receives the forged reply, it may cache the incorrect information, associating the domain name with the attacker's desired IP address. Subsequent requests for that domain name from users within the organization will then be directed to the attacker's malicious server instead of the legitimate server. - ChatGPT3.5

The correcto option is A. The other options may be involved in a DNS cache poisoning attack, but the first step would always be the same: the attacker must send queries to the DNS server to learn about the name resolution process and cache records. Then, the attacker can exploit the weaknesses found to poison the DNS cache and redirect traffic to malicious sites.

Its D. If an attacker is able to forge a reply from a DNS resolver, this could allow them to carry out a DNS cache poisoning or DNS spoofing attack. In this type of attack, the attacker sends a false DNS response to the user's computer or intermediate DNS server, causing it to cache the malicious data instead of the correct data. When the user later attempts to access the legitimate website, they are directed to the attacker's website instead. If an attacker queries a nameserver using a DNS resolver, this could be part of a reconnaissance or information gathering phase of a larger attack. By querying a nameserver, the attacker can obtain information about the DNS infrastructure for a particular domain, such as the IP addresses of servers hosting the domain's website or email services. This information can be used to plan and carry out further attacks, such as DNS cache poisoning or DDoS attacks.

Make a request then send fake reply to posion cache

I think A is right .

Since it is asking for the FIRST step, 8 would think the answer is C. Make a request to the DNS resolver, if the resolver does not have that answer in it's cache, it then in turn (ie next step) the resolver queries the nameserver. Or do I have the DNS process in wrong order?

DNS CACHE Poisoning refers to altering or adding forged DNS records in the DNS resolver cache so that a DNS query is redirected to a malicious site. However, the question is asking the FIRST STEP for a hacker. The forged and altered DNS records are the end result. The FIRST STEP is the attacker Queries for DNS info. (P.1165/1181)

The D is correct.

The correct answer is D.