DNS(Domain Name System) Spoofing

Arun prashanth
7 min readMay 18, 2021

--

Photo by Google

What is DNS?

DNS is called Domain Name System. It is the Phonebook of the internet. Every human accessing the data information online through the domain name, like facebook.com or google.com. By using the internet protocol(IP) addresses the web browsers are interacting. So web browsers can load the internet resources by DNS translates domain names to IP addresses.

Each and every device connected with the internet has a unique IP address which the other machines use to find the device.DNS servers eliminate the need for humans to memorize IP addresses such as 192.168.1.1(in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb50:2098:1:c629::67a2(in IPv6).

How does DNS work?

If we see the process of the DNS, its resolution involves converting the hostname( ex: www.facebook.com) into a friendly computer IP address(ex: 192.168.1.1). Each device on the internet has an IP address, & that address has needed to search and find a suitable Internet device like a road address is used to find the particular office. When the user wants to load to find a webpage, a translation must happen between what the user types into their web browser(ex: facebook.com) and the same time machine-friendly address needed to locate the facebook.com webpage.

To comprehend the interaction behind the DNS goal, it’s important to learn about the different hardware components a DNS query must pass between. For the internet browser, the DNS query happens “ in the background” and requires no association from the user’s PC separated from the initial request.

DNS Server & IP Address

Internet Protocol (IP) address can be well-defined as a unique number that identifies the server or computer in the network. These string and number ID names are used to communicate & locate between the computer in the network.

If you want to find the IP address for your device you can go through this command below.

IPconfig - Windows(Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.)
IPconfig/all - Windows (Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.)
/sbin/Ifconfig/- Linux & MacOS
Example of IP Configuration

DNS is called Domain Name System. It is the Phonebook of the internet. What it does is the DNS server matches the name of the website to the exact IP address when the user gives a request to the computer to load the website.

It has 4 different types of DNS servers to use to load the web page.
1. Recursive resolvers
2. Root nameservers
3. TLD nameservers
4. Authoritative nameservers

DNS recursive resolver

This recursive resolver is the first stop in the DNS query. It acts as a middle man between a DNS nameserver & a client.

After receiving a DNS query from a web client, a recursive resolver will either respond with cached data, or send a request to a root nameserver, followed by another request to a TLD nameserver, and then one last request to an authoritative nameserver.

After receiving a response from the authoritative nameserver containing the requested IP address, the recursive resolver then sends a response to the client.

When a client requests the IP address of a domain name that was recently requested by another client, the resolver can circumvent the process of communicating with the nameservers, and just deliver the client the requested record from its cache.

Root nameserver

A root server accepts a recursive resolver’s query which includes a domain name, and the root nameserver responds by directing the recursive resolver to a TLD nameserver, based on the extension of that domain (.com, .net, .org, etc.). The root nameservers are overseen by a nonprofit called the Internet Corporation for Assigned Names and Numbers (ICANN).

TLD nameserver

A TLD nameserver maintains information for all the domain names that share a common domain extension, such as .com, .net, or whatever comes after the last dot in a URL.

Authoritative nameserver

The authoritative nameserver is the last stop in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor (the librarian) that made the initial request.

DNS Spoofing Means What?

Domain Name Server (DNS) spoofing is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination.

Once there, users are prompted to login into their account, giving the perpetrator the opportunity to steal their access credentials and other types of sensitive information. Furthermore, the malicious website is often used to install worms or viruses on a user’s device, giving the perpetrator long-term access to it and the data it stores.

There are two main methods in DNS spoofing.
1. DNS Cache Poisoning
2. DNS ID spoofing

DNS Cache Poisoning

DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones.

A DNS cache can become poisoned if it contains an incorrect entry. For example, if an attacker gets control of a DNS server and changes some of the information on it — for example, they could say that google.com actually points to an IP address the attacker owns — that DNS server would tell its users to look for Google.com at the wrong address. The attacker’s address could contain some sort of malicious phishing website

DNS Cache Poisoning Process

DNS ID spoofing

In DNS ID spoofing, the victim sends the resolve request to the server, where the packet ID and IP information generated for the resolve request is duplicated with forged information inside it. As the response ID matches the request ID, the Victim’s machine accepts the response containing the information that is not expected.

Two methods for executing a DNS Spoofing attack:

  • Man in the middle(MITM) — The interception of communications between users and a DNS server in order to route users to a different/malicious IP address.
  • DNS server compromise — The direct hijacking of a DNS server, which is configured to return a malicious IP address.

Risks of DNS Poisoning and Spoofing

Here are common risks of DNS poisoning and spoofing:

  • Data theft —These DNS spoof attackers steal personal information like credit card details, bank details, and other sensitive information about the users. The redirects would be phishing websites designed to collect your info.
  • Malware infection — Ultimately if you’re not using internet security, you’re exposed to risks like spyware, keyloggers, or worms. The spoof redirecting you, the destination could end up being a site infested with malicious downloads. Drive-by downloads are an easy way to automate the infection of your system.
  • Halted security updates — It can result from a DNS spoof. If spoofed sites include internet security providers, legitimate security updates will not be performed. As a result, your computer may be exposed to additional threats like viruses.
  • Censorship —It is a risk that is actually commonplace in some parts of the world.

How to Prevent DNS Cache Poisoning and Spoofing

When looking to prevent DNS spoofing, user-end protections are limited. Website owners and server providers are a bit more empowered to protect themselves and their users. To appropriately keep everyone safe, both parties must try to avoid spoofs.

Here’s how to prevent for website owners and DNS service providers:

  1. DNS spoofing detection tools
  2. Domain name system security extensions
  3. End-to-end encryption

Here’s how to prevent for endpoint users:

  1. Never click on a link you don’t recognize
  2. Regularly scan your computer for malware
  3. Flush your DNS cache to solve poisoning
  4. Use Virtual Private Network (VPN)

Referances:

--

--

Arun prashanth
Arun prashanth

Written by Arun prashanth

Software Engineer at Virtusa (Pvt) Ltd.

No responses yet