Cyber-threats are behind every corner. Recently we wrote about DDoS attacks, and how hackers are using your computer and many connected devices to create a network of bots who can bring down even the best-protected network. Today we will review another danger – DNS spoofing. Show DNS spoofing a.k.a. DNS poisoning is that popular that you can find plenty of DNS spoofing tutorials using Kali distribution of Linux, but we are on the good side, and we won’t show you that. We will explain to you why there is such a threat and how can you protect. DNS Spoofing – DefinitionDNS Spoofing appears when the IP address (IPv4 or IPv6) of a domain name is masked and falsified. The information is replaced with a faked one, from a host that has no authority to give it. It occurs and disturbs the normal process of DNS resolution. As a result, the user’s device is connecting with a bogus IP address, and all of the traffic is directed to a malicious website. Additionally, the victim is not able to notice the forgery because the DNS resolution is a process that happens behind the scenes. The fake DNS data (DNS records) takes place in the Recursive DNS server cache, which results in the name server answering with a false IP address. Such attacks take advantage of vulnerabilities in name servers and shift the traffic towards fake web pages. Those fake websites are visually very similar to the real ones, and people don’t even understand the difference. In this process, personal data can be stolen. As we mention above, the Recursive DNS server has an essential role in the DNS resolution process. Let’s explain a little bit more about it. Here are two functions that you should be familiar with: DNS cachingTo save time and divide better the load, in the DNS there are recursive DNS servers. They have a cache, local saved information about the domains that temporary stays in them. ForwardingEven a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can forward some or all of the queries that are not satisfied from its cache to another caching name server, commonly referred to as a forwarder. Methods of DNS SpoofingThere are various different methods of DNS Spoofing. Here are some of the most popular ones: Spoofing the DNS responsesThis method is a form of a Man-in-the-Middle (MITM) attack. In this one, the attacker is guessing the manner in which the DNS generates its query ID and sends a fake response with the IP address he/she wants. In the majority of cases, the cybercriminal pretends to be the victim’s DNS server and sends malicious responses. The chance for initiating such type of attack is based on the fact that DNS traffic operates with the User Datagram Protocol (UDP). That way, it is not possible for the victim to confirm the authenticity of the DNS response. DNS cache poisoningDNS cache poisoning or also known just “cache poisoning,” is another cyber attack that cybercriminals commonly initiate. It involves placing a bogus IP address in the cache memory of the devices of the users. That way, the target victim device is going to lead the user to that bogus IP address automatically. It includes sending to the DNS servers wrong mapping information with high TTL. The information is saved for a long time so the server can give the fake answer for a long time. Learn everything about the DNS Cache! Moreover, each further DNS request to the DNS servers with this cached, malicious information is going to direct to the bogus IP address. Such a threat is going to remain until the entry is pulled from the DNS cache. However, there is a security mechanism called DNSSEC which can be implemented to improve the protection of your DNS. DNS HijackingDNS Hijacking is one of the most complex DNS attacks out there. The cybercriminal hijacks a legitimate DNS server and takes control of it. Then, he or she makes some modifications to the DNS information (DNS records). That way, the fake DNS data pushes every user who reaches that website’s IP address to get sent to the falsified website. That is why encryption is especially important for the overall protection of your information. Example of DNS SpoofingMost commonly, attackers utilize premade tools to complete a DNS Spoofing attack. Typically, it is performed in any location with connected devices, yet the main targets are locations with free public Wi-Fi. They are usually poorly secured and misconfigured. That gives the cybercriminal a great opportunity to complete the malicious attempt. Therefore, it is best if you consider using only secure Wi-Fi networks. Here is an example of DNS Spoofing and the basic steps that the cybercriminal completes:
How to protect from DNS spoofing?There are few different things that you can do to protect from those attacks: Detection mechanisms. You can use special software to detect it. Using such a program, you can be safe from the most forms of DNS spoofing. Always use a secure connection. Use encryption via SSL or TLS to verify the certificate of the website you want to visit. Use DNSSEC – Domain Name System Security Extensions checks the data authenticity with digitally signed DNS records. ConclusionWe should be cautious where do we go on the internet and what emails are we opening. Even the slightest difference, like the missing of the SSL certificate, should immediately trigger us to check double the website we want to visit. (Visited 2,369 times, 4 visits today) Hi, I’m Martin Pramatarov. I have two degrees, a Technician of Computer Networks and an MBA (Master of Business Administration). My passion is storytelling, but I can’t hide my nerdish side too. I never forgot my interest in the Hi-tech world. I have 10 years and thousands of articles written about DNS, cloud services, hosting, domain names, cryptocurrencies, hardware, software, AI, and everything in between. I have seen the Digital revolution, the Big migration to the cloud, and I am eager to write about all the exciting new tech trends in the following years. AI and Big Data are here already, and they will completely change the world! I hope you enjoy my articles and the excellent services of ClouDNS! Enjoy this article? Don't forget to share. Tags: ARP cache, DDos Attacks, DNS, DNS attacks, DNS cache, DNS poisoning, DNS recursive, DNS security, DNS spoofing, forwarding Last modified: May 25, 2022
102.2k views
Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination. Once there, users are prompted to login into (what they believe to be) their account, giving the perpetrator the opportunity to steal their access credentials and other types of sensitive information. Furthermore, the malicious website is often used to install worms or viruses on a user’s computer, giving the perpetrator long-term access to it and the data it stores. Methods for executing a DNS spoofing attack include:
DNS server compromise attack. DNS cache poisoning exampleThe following example illustrates a DNS cache poisoning attack, in which an attacker (IP 192.168.3.300) intercepts a communication channel between a client (IP 192.168.1.100) and a server computer belonging to the website www.estores.com (IP 192.168.2.200). In this scenario, a tool (e.g., arpspoof) is used to dupe the client into thinking that the server IP is 192.168.3.300. At the same time, the server is made to think that the client’s IP is also 192.168.3.300. Such a scenario would proceed as follows:
DNS is an unencrypted protocol, making it easy to intercept traffic with spoofing. What’s more, DNS servers do not validate the IP addresses to which they are redirecting traffic. DNSSEC is a protocol designed to secure your DNS by adding additional methods of verification. The protocol creates a unique cryptographic signature stored alongside your other DNS records, e.g., A record and CNAME. This signature is then used by your DNS resolver to authenticate a DNS response, ensuring that the record wasn’t tampered with. While DNSSEC can help protect against DNS spoofing, it has a number of potential downsides, including:
|