domain name server (DNS) spoofing is a type of attack in which DNS records are altered to redirect online traffic to a spoofed website that resembles the original destination.
By landing on the spoofed websites, the adversaries can steal sensitive information such as credentials or credit card details depending on the type of attack. Moreover, viruses, worms and malware can also be injected into the victim’s machine.
Without understanding how the Internet connects you to websites, you could be tricked into thinking a website is compromised. For a clear explanation, understand what DNS is and how it works.
What is DNS?
A domain name system is used to translate the domain into the corresponding IP address. DNS or domain name servers are a collective of four types of servers that make up the type of DNS lookup. The four servers included are the resolving name server, the root name server, the top-level domain (TLD) name server, and the authoritative name server. The resolving name server is designed to query the web server for the targeted IP address of a domain name, this lookup process resides inside the operating system.
How does a DNS lookup work?
This is how DNS lookup works:-
- Your web browser and operating system attempt to recall the IP address associated with a particular domain name. If the IP address has already been visited, it can be retrieved from the computer’s internal storage or cache memory.
- If none of the components have the answer, the operating system moves the queries to name server resolution. This query starts searching through a chain of servers to find the answer.
- Ultimately, the resolver finds the IP address and passes it to the operating system, which in turn sends it back to the web browser.
DNS spoofing attacks
The man in the middle (MITM): With the interception of communications between users and the DNS server, an attacker can lead users to a malicious IP address.
DNS server hack: The attacker hijacks the DNS server, which is configured to return a malicious IP address.
How Attackers Poison DNS Cache
DNS cache poisoning is an attack in which false information is entered into the DNS cache so that DNS queries return an incorrect response and users are directed to the wrong websites. DNS cache poisoning is another term used for DNS spoofing.
The following example illustrates how DNS cache poisoning works. Suppose an attacker with the IP address (192.168.1.100), intercepts a communication between a client IP (192.168.1.150), and a server of ‘www.example.com‘ IP address (192.168.1.200).
An attacker poisons the DNS cache by querying the IP of ‘example.com’ and then forging the response with his IP (192.168.1.100). Now the input for ‘www.example.com‘ The IP address is changed from (192.168.1.200) to (192.168.1.100) in the DNS server.
If the client (192.168.1.150) tries to communicate with ‘example.com’, the DNS server will respond with the poisoned entry which is the attacker’s IP address (192.168.1.100). A fake website hosted on this address will impersonate the original one and the user might be tricked into providing the sensitive information.
This attack is possible because the DNS server uses UDP instead of TCP. In TCP, both communication parties must perform the “handshake” to initiate the connection, while in UDP there is no source integrity check.
DNS Spoofing Threats
- Data theft – Attackers typically target banking and e-commerce websites because they are easily spoofed, meaning personal information can be compromised.
- Stop Security Update – If spoofed sites include service providers, then this can stop critical security updates, leaving devices vulnerable to other threats.
- Malware infection – With the spoofed redirect attacker, the site can affect the visitor with the malware and virus.
How to Protect Your DNS Spoofing Infrastructure
- DNS spoofing detection tool.
- End-to-end encryption.
- Domain Name System Security Extensions.
- Flush the DNS cache to resolve the poisoning.
- Use DNSSEC, a protocol design to secure DNS