DNS Poisoning and Web3: How Cybercriminals Can Hijack Your App

As Web3 and decentralized applications continue to gain popularity, the need for secure and reliable DNS (Domain Name System) services becomes increasingly important. DNS is responsible for translating human-readable domain names into IP addresses that computers can understand, enabling users to access websites and applications on the internet. However, DNS services can be vulnerable to attacks, particularly DNS poisoning and DNS cache poisoning.

In this blog post, we’ll explore what DNS poisoning and DNS cache poisoning are, how they can be used to steal user funds from Web3 users by pointing a redirected frontend to the wrong smart contracts, and real-world examples of these attacks in the Web3 space. We’ll also provide tips and best practices for preventing DNS poisoning attacks in Web3.

What is DNS poisoning?

DNS is the system that translates human-readable domain names, like www.example.com, into IP addresses, which are used by computers to connect to websites and other internet services. DNS poisoning, also known as DNS spoofing, is a type of cyber attack in which an attacker redirects internet traffic from legitimate websites to fake ones. The attacker does this by compromising a DNS server and altering the IP address that corresponds to a specific domain name. As a result, users who attempt to access the legitimate website are redirected to a fake one that looks identical, but is controlled by the attacker.

In the context of Web3, DNS poisoning can be particularly dangerous since it can be used to redirect users to a fake frontend that interacts with a malicious smart contract or address. This can result in the user unknowingly sending cryptocurrency to the attacker’s wallet, rather than the intended recipient or contract.

What is DNS cache poisoning?

DNS cache is a temporary storage of previously accessed Domain Name System (DNS) records. Whenever a user requests to access a website, their computer sends a request to a DNS resolver to look up the IP address associated with the domain name. The resolver then looks up the IP address in the DNS database and returns the result to the user’s computer.

To speed up subsequent requests to the same domain, the DNS resolver caches the results, so that the next time the user requests access to the same website, the resolver can quickly provide the IP address without having to look it up again. This caching process helps to reduce the amount of time it takes to resolve a domain name and load a webpage, improving overall browsing performance.

DNS cache poisoning, also known as DNS spoofing or DNS poisoning, is a type of cyber attack in which an attacker corrupts the data stored in a DNS cache.

In a DNS cache poisoning attack, the attacker alters the cached data with incorrect information, causing the DNS resolver to return an incorrect IP address when the domain name is queried. This also results in users being redirected to a fake website controlled by the attacker, rather than the legitimate website they intended to visit.

In DNS cache poisoning attacks, attackers manipulate the DNS cache to point domain names to different IP addresses. This can be done by inserting false DNS records into the cache, or by exploiting vulnerabilities in the DNS software or protocols. Once the DNS cache has been poisoned, any requests for the affected domain name will be directed to the IP address specified by the attacker, rather than the legitimate IP address.

How can DNS attacks be used to steal web3 user funds?

In web3 applications, the front-end user interface (UI) is typically a web application that is hosted on a traditional web server. This front-end UI communicates with the blockchain via a series of smart contracts that define the application’s business logic.

If an attacker is able to perform a DNS poisoning attack on the front-end UI of a web3 application, they can redirect users to a fake website that looks identical to the real one, but which points to different smart contracts. This means that any transactions initiated by the user on the fake website will be executed using the attacker’s smart contracts, rather than the legitimate ones.

This can be particularly dangerous for web3 applications that involve financial transactions, such as decentralized exchanges (DEXs) or cryptocurrency wallets. If an attacker is able to redirect users to the attacker’s own smart contracts, they can steal the user’s cryptocurrency or other digital assets. Because blockchain transactions are irreversible, there is no way for the user to recover their funds once they have been stolen.

Real world examples of DNS attacks in web3

Unfortunately, more and more attackers are targeting frontends using DNS attacks. In each of these examples, the users experienced what was mentioned above: they navigated to the correct URL but were redirected to a phishing site that looked exactly like the real site. As a result, they signed malicious transactions and approvals.

• Curve Finance — $600k in user funds stolen
• Ribbon Finance — $500k in user funds stolen
• Celer Protocol — $250k in user funds stolen
• Black Wallet — $400k in user funds stolen
• Pancake Swap — prompted users to enter seed phrase
• Cream Finance — prompted users to enter seed phrase

When a hack like this happens, every second counts. Developers need to understand exactly what’s going on and address the issue immediately.

How to prevent DNS attacks in web3

To protect against DNS poisoning attacks, web3 developers should take a number of precautions.

One important step is to use secure DNS servers that are less vulnerable to attacks. Developers should also ensure that their front-end UIs are hosted on secure servers and are protected by strong authentication mechanisms, such as two-factor authentication (2FA) or multi-signature authentication.

Another important step is to use DNS Security Extensions (DNSSEC), a set of security protocols that provide authentication and integrity checks for DNS information. DNSSEC can help prevent attackers from modifying the DNS cache or inserting false DNS records, making it more difficult for them to redirect users to fake websites or malicious smart contracts. A recent GuardianUI analysis of 250 protocols found 80% do not use DNSSEC. Further, Vercel currently does not support DNSSEC.

Additionally, developers should consider automated monitoring tools that can detect if their frontend has been compromised and alert them immediately with actionable insights. GuardianUI checks that your live UI is creating the expected smart contract interactions for users, and alerts your team if any vulnerabilities are detected.

In conclusion, DNS poisoning is a serious cyber threat for web3 teams that can be used to redirect users to fake websites or intercept and modify data being sent between users and legitimate websites. In the context of web3 applications, DNS poisoning can be particularly dangerous, as it can be used to redirect users to malicious smart contracts and steal their digital assets.

How to flush your DNS cache

As a user, if you suspect your DNS cache has been poisoned, or if you simply want to ensure your DNS cache is up-to-date, you can flush your DNS cache. Flushing the cache will remove all cached DNS records, forcing the system to obtain up-to-date information from the DNS resolver.

The method for flushing the DNS cache can vary depending on the operating system and device being used. Here are the steps to flush the DNS cache on some common operating systems:

Windows:

1. Open the Command Prompt by typing “cmd” in the Start menu search bar and clicking on the Command Prompt app.
2. Type the following command and press Enter: ipconfig /flushdns
3. Wait for the command to complete, then close the Command Prompt.

macOS:

1. Open the Terminal app by searching for it in Spotlight or the Applications folder.
2. Type the following command and press Enter: sudo killall -HUP mDNSResponder
3. Enter your administrator password when prompted.
4. Wait for the command to complete, then close the Terminal.

Linux:

1. Open the Terminal app.
2. Type the following command and press Enter: sudo systemctl restart network-manager
3. Enter your administrator password when prompted.
4. Wait for the command to complete, then close the Terminal.

It’s important to note that flushing the DNS cache may temporarily slow down web browsing as the system re-populates the cache with up-to-date information. However, this is a small inconvenience compared to the potential risks of using a poisoned DNS cache.

About GuardianUI

GuardianUI is the testing and monitoring platform for web3 frontends. Our SaaS platform automates end-to-end testing, application monitoring for web3 critical paths, and real-time alerting to ensure deployed apps create the expected smart contract interactions for users.

Apply for early access by filling out this form.

https://www.guardianui.com/