DNS SPOOFING
What is DNS?
❉ DNS, that stands for Domain Name System converts domain names into IP addresses allowing browsers to load resources on Internet.
❉ Domain is a name that identifies one or more particular IP addresses. They are used in URLs to recognize specific web sites / pages.
Ex: www.medium.com
This can be used to understand the actual target server ID (IP address) easily.
❉ Domain names are alphabetic and therefore they are easier to remember.
❉ Every device that is connected to the Internet has its own unique IP address which is used by other machines to detect the device.
❉ DNS servers facilitates humans by remembering IP addresses.
❉ A DNS must convert the name into the corresponding IP address every time you use a domain name.
IP Addresses and DNS Servers
❉ IP, which stands for Internet Protocol Address can be defined as a unique number that identifies a computer or a server in a network. These number string ID names are used locate and communicate between computers in the network.
❉ The following commands can be used in Windows and Linux environments to figure out IP addresses.
IPconfig - Windows
Ifconfig - LinuxThis is what I get when I run the above mentioned command on my Windows machine.
❉ A DNS server is a basic part or a phone book of the internet. It would be an unfeasible task to use web browsers in order to find websites without a DNS server.
❉ The DNS server’s duty is to match a name of a website along with the exact IP address when a user requests a computer to load a website.
❉ There are 4 types of DNS Servers used to load a web page.
- DNS Recursor
💠 The DNS recursor receives requests from client machines via applications such as web browsers. The recursor makes extra queries to fulfill the DNS query requested by the client.
2. Root nameserver
💠 The root nameserver does the translation of human readable host names into IP addresses. It acts as a referential point to other particular locations.
3. TLD nameserver
💠 TLD which stands for Top Level Domain server hosts the last part of a hostname.
Ex: In “www.medium.com”, TLD server ➝ “com”).
4. Authoritative nameserver
💠 It is responsible for returning the IP address to the queried hostname back to the DNS Recursor if the requested record is accessible to the authoritative name server.
What is DNS Spoofing?
❉ DNS Spoofing refers to a computer attack in which a user is manipulated to visit a fraudulent website that acts like a real one with the aim of redirecting online traffic or stealing user credentials or other sensitive information.
❉ When doing DNS spoofing, the attackers replace the IP addresses stored in DNS server with the ones they have under their control.
❉ Spoofing attacks can remain unnoticed for a long time and can give rise to severe security problems.
❉ There 2 main DNS spoofing methods.
- DNS Cache Poisoning
- DNS ID spoofing
DNS Cache Poisoning
✦ DNS Cache Poisoning is a user-end method of DNS spoofing where the system logs the fake IP address in user’s local memory cache that results the DNS to evoke the disguised site although the problem got solved in the server side.
✦ We can state that a DNS cache has been poisoned when the server gets an erroneous entry. This happens when an attacker controls a DNS Server by altering the information that it contains.
✦ When cache poisoning occurs, user will get directed to a phishing website although he/she entered the website’s name correctly.
DNS ID Spoofing
✦ DNS ID Spoofing happens when IP information and packet ID created for a particular resolve request which was sent by the client is falsified.
✦ The client accepts the the response with unexpected content in it since the response ID matches with the request ID.
Techniques for DNS Spoofing or Cache Poisoning Attacks
⚙️Man-in-the-middle attack
This is done by having an attacker in between your web browser and the DNS server with the intention of infecting both. The user will be diverted to a phishing site hosted on the local server of the attacker.
⚙️DNS server hijack
In DNS server hijacking, attackers alter the DNS servers configured by clients by using malware to carry on DNS Spoofing. As a result, malware would get access to observe what client is requesting and to mislead the client.
⚙️ DNS cache poisoning via spam
There is a code that is used for DNS cache poisoning. We can find this code in URLs sent through spam emails. The intention of sending these emails is to infect user computers by influencing them to click on URLs. When poisoned, user computer will take a user to spoofed sites that will infect users’ devices with serious threats.
Risks of DNS Poisoning and Spoofing
💉 Malware infection
Through this process, attackers automate the infection of your system through various methods such as Drive by Downloads.
💉 Data theft
DNS spoof attackers steal sensitive information such as credit card details and other confidential details.
💉 Halted security updates
Security updates may not work if sites are spoofed that contain internet security providers. Hence, user computers get exposed to other malicious threats such as viruses.
💉 Censorship
It is a nation-level block restrained by some governments by poisoning DNS caches intentionally within their territories to deny access to certain websites or resources.
How to Prevent DNS Spoofing
🔰 Keeping DNS software up to date
🔰 Having separate servers for internal and public services
🔰 Enforce clients and partners to use HTTPS
🔰 Use of secure keys in order to sign updates received from other DNS servers (Using DNS Security Extensions)
🔰 Providing only necessary responses regarding a requested domain (Limiting Response Rate)
🔰 Storing only necessary data about a requested domain
🔰 Avoiding updates from non-trusted sources
🔰 Limit recursive queries
🔰 Keeping current backups
