DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver’s cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker’s computer (or any other computer).
It results in substitution of a false Internet provider address at the domain name service level where web addresses are converted into numeric internet provider addresses. It allows attacker to replace IP address DNS entries for a target site on a given DNS server with IP addresses of the server he/she controls. Attacker can create fake DNS entries for files with same names as that of target server.
The DNS provides a way for computers to translate the domain names we see to the physical IPs they represent. When you load a webpage, your browser will ask its DNS server for the IP of the host you requested, and the server will respond. Your browser will then request the webpage from the server with the IP address that the DNS server supplied.
How to launch DNS Poisoning attack
- Set up a website on your computer
- Install Treewalk tools and modify the file mentioned in the readme.txt (of its home directory) to your IP address.
- It will make your system as DNS server.
- Modify the file dns-spoofing.bat and replace the IP address with your IP address.
- Trojanize the dns-spoofing.bat file and send it
- When the host clicks the Trojanned file, it will replace DNS-entry in her TCP/IP properties to that of your machine.
- You will become the DNS server and her DNS requests will go through you
There are four types of DNS poisoning attacks using which you can compromise the target system:
- Intranet DNS spoofing (local network)
When an attacker performs DNS poisoning on a locl area network (LAN), it is called intranet DNS spoofing. An attacker can perform intranet DNS spoofing attack with the help of the ARP poisoning technique. THis is usually conducted on a swithced LAN. To perform this attack, you must be connected to the LAN and be able to sniff the traffic or packets.
Once the attacker succeds in sniffing the ID of the DNS request from the intranet, he or she can send a malicious reply to the sender before the actual DNS server.
- Internet DNS spoofing (remote network)
Internet DNS poisoning is also known as remote DNS poisoning. This attack can be performed either on asingle or multiple victims anywhere in the world. In order to perform this attack, you need to set up a rouge DNS server with a static IP address.
Internet DNS spoofing is performed when the victim’s system is connedted to the Internet. It is done with the help of Trojans. It is one of the MITM types of attacks, where the attacker changers the primary DNS entries of the victim’s computer. The attacker replaces the victim’s DNS IP address with the fake IP address that refers t the attacker’s system; thus all traffic will be redirected to the attacker’s machine. Now the aatcker can easily sniff the victim’s confidential information.
- Proxy server DNS poisoning
In the proxy server DNS posoning technique, tha taattacker changes the proxy server setting of the victim to that of the attacker. This is done with the help of a Trojan. This redirects the victim’s request to the attacker’s fake website where the attacker can sniff the confidential information of the victim.
- DNS cache poisoning
The DNS system uses cache memory to hold the recently resolved domain names. It is populated with recently used domain names and respective IP address entries. When the user request comes, the DNS resolver first checks the DNS cache; if the domain name that the user requested is found in the cache, then the resolver sends its respective IP address quickly. Thus, it redueces the traffic and time of DNS resolving.
Attacker target this DNS cache and make changes or add entries to the DNS cache. The attacker replaces the user-requested IP address with the fake IP address. Then, after when user requests that domain name, the DNS resolver checks the entry in the DNS cache and picks the matched entry. Thus, the victim is rediirected to the attacker’s fake server instead of the authorized server.
How to defend against DNS spoofing:
- Resolve all DNS queries to local DNS servers
- Block DNS requests from going to external severs
- Implement DNSSEC
- Configure the DNS resolver to use a new random source prot from its available range for each outgoing query
- Configure the firewall to restrict external DNS lookup
- Restrict the DNS recuring service, either full or partial, to authorized users
- Use DNS Non-Existent Domain rate limitng
- Secure your internal machines
- Implement IDS and deploy it correctly
- Use static ARP and IP table
- Use SSH encryption
- Use sniffing detection tools
- Do not open suspicious files
- Always use trusted proxy sites
- Audit your DNS server regularly to remove vulnerabilities
Subscribe for latest security updates