Back to all scenarios
Scenario #200
Networking
K8s v1.23, DigitalOcean

DNS Cache Poisoning in CoreDNS

DNS cache poisoning occurred in CoreDNS, leading to incorrect IP resolution for services.

Find this helpful?
What Happened

A malicious actor compromised a DNS record by injecting a false IP address into the CoreDNS cache, causing services to resolve to an incorrect IP.

Diagnosis Steps
  • 1Monitored CoreDNS logs and identified suspicious query patterns.
  • 2Used kubectl exec to inspect the DNS cache and found that some services had incorrect IP addresses cached.
Root Cause

CoreDNS cache was not sufficiently secured, allowing for DNS cache poisoning.

Fix/Workaround
• Implemented DNS query validation and hardened CoreDNS security by limiting cache lifetime and introducing DNSSEC.
• Cleared the DNS cache and restarted CoreDNS to remove the poisoned entries.
Lessons Learned

Securing DNS caching is critical to prevent cache poisoning attacks.

How to Avoid
  • 1Use DNSSEC or other DNS security mechanisms to validate responses.
  • 2Regularly monitor and audit CoreDNS logs for anomalies.
Previous ScenarioNext Scenario