Introduction to DNS Spoofing
What is DNS (Domain Name System)
It is a distributed system used to translate domain names into IP addresses. DNS returns the IP address which is specific to a domain name, the process is called name resolution. For this, IP address of the DNS server must be stored on each device. If no DNS server has been stored on the device, the one for the local router will automatically be used. It is an unencrypted protocol, So, it is easy to intercept traffic with spoofing. Normally It does not validate the IP addresses to which they are redirecting traffic.
What is DNS Spoofing
What is spoofing :- It means deception or forgery
It is an attack which is altered DNS records that are used to redirect online traffic to a fraudulent website that resembles its intended destination. A user is forced to redirect to a fake website looks like a real one to steal credentials of the users. It can go for a long period of time without being detected and can cause serious security issues.
Methods for executing a DNS spoofing attack:
- Man in the middle (MITM) — The interception of communications between users and a DNS server in order to route users to a different/malicious IP address.
- DNS server compromise — The direct hijacking of a DNS server, which is configured to return a malicious IP address.
How DNS Spoofing works
- The client (Web browser) first requests the IP address for the host name (eg.microsoft.com) from the DNS server.
- Then the web browser receives the response to the request, but it contains a fake IP address. The connection to the actual server for microsoft.com is not established.
- Instead, the client sends the request to the malicious host behind the faked IP address.
- The malicious host returns what appears to be a legitimate website page to the client. However, the fake domain name is missing the security certificate which makes the attack visible.
DNS Spoofing methods :-
- DNS cache poisoning :- Local DNS server is replaced with compromised DNS server containing customized entries of genuine website names with attacker’s own IP addresses. So that, when a request is sent to the local DNS server for name resolution, it communicates with the compromised DNS server, resulting in the user being redirected to a false website planted by the attacker.
- DNS ID spoofing :- Packet ID and IP information generated for the resolve request sent by the client is duplicated with false information inside it. As the response ID matches the request ID, the client accepts the response containing the information that is not expected.
How to protect yourself from DNS spoofing
- Maintain the DNS software up-to-date
- Maintaining separate servers for public and internal services
- Use secure keys to sign updates received from other DNS servers to avoid updates from non-trusted sources.
DNS spoofing is a serious threat. Therefore we have to follow some effective protection against DNS spoofing.
- Encryption method :- In this method, data is protected from unauthorized access by third parties and it ensures the authenticity of the communicating party.
- Use DNSSEC :- It is a protocol designed to secure your DNS by adding additional methods of verification. The protocol creates a unique cryptographic signature stored alongside your other DNS records, e.g., A record and CNAME. This signature is then used by your DNS resolver to authenticate a DNS response, It ensures that the record wasn’t tampered with the attacker. Apart from that DNSSEC has some drawbacks i.e Lack of data confidentiality, Complex deployment, Zone enumeration
Note : If an attacker tries to pretend to be a legitimate host, this will result in a certificate error on the user side and the spoofing attempt will be detected.
Happy Learning.🙂