The DNS is responsible for resolving human-readable domain names to numeric IP addresses. It is a protocol designed in the early days of the internet, and features only weak security mechanisms.
DNS Spoofing, also known as DNS Poisoning or DNS Cache Poisoning, involves corrupting an Internet server’s Domain Name System table by replacing a valid Internet address with that of another, rogue address. When a web user looks for the affected page, the request is redirected to a different address where a worm, spyware, web browser hijacking program, or other malware can be downloaded to the user’s computer from the.
Basic Overview of DNS Spoofing
DNS spoofing occurs when a particular DNS server’s records of “spoofed” or altered maliciously to redirect traffic to the attacker. This redirection of traffic allows the attacker to spread malware, steal data, etc. For example, if a DNS record is spoofed, then the attacker can manage to redirect all the traffic that relied on the correct DNS record to visit a fake website that the attacker has created to resemble the real site or a different site completely.
DNS is a Domain Name System, which has all the websites names and its corresponding IP address in its database in the form of records and is placed in a hierarchal manner in the Internet. Whenever a client access a particular website says www.google.com, a request will be first sent to the Local DNS server for the ip address of that particular website. Then the DNS server checks for that particular IP address in its data base and once it finds it, then it immediately sends a response to the client browser regarding the IP information. If it doesn’t find in its database, then it will forward the request to the top level DNS server in the hierarchy. In this way, the DNS server resolves name resolution requests coming from the clients.
When an entry in DNS server is modified in such a way that, a particular website to an ip address which is not the expected one. Then the clients, whose requests are being resolved by this DNS server, may be redirected to another website than the expected one. This kind of situation occurs, when the entry is not added correctly in the DNS server or any unauthorized user has modified the DNS entries. The process of modifying the DNS entries in an unauthorized manner is known as DNS Spoofing.
DNS Spoofing Technique
There are two techniques for accomplishing this DNS hijacking.
- DNS Cache Poisoning
- DNS ID Spoofing
DNS Cache Poisoning: The DNS Cache Poisoning method can be explained with an example. Consider two DNS servers – one which is Local DNS server with domain name www.abc.com for your organization and the other is a compromised DNS server with domain name www.attacker.com. The attacker adds some customized entries, which includes legitimate website names with his own relevant ip address in the compromised DNS server. After that he sends a name resolution request for the ip address information of the domain www.attacker.com to the DNS server of the domain www.abc.com. Since the DNS server, doesn’t have the information in its data base, it sends response to the attacker after getting the information from the compromised DNS Server. During this transaction period, the DNS server of www.abc.com not only receives the IP address information of www.attacker.com but also the other records present in the DNS server in to its cache. This is normally referred to as cache poisoning. At this moment, if a legitimate user connects to local DNS server for name resolution he will be misguided to other website than the expected one.
DNS ID spoofing: When a name resolve request is generated by the client to send it to the DNS server, an ID will be generated along with the request. The client will accept the response for his request, if the ID of the response packet matches with the requested packet ID. But this way of name resolution is not secured. Because any unauthorized user can sniff the request and can create a response packet on the fly with the same id and IP information contained in it is not the expected one. This kind of DNS attack is known as DNS ID Spoofing.
How to Prevent DNS Spoofing
As a website visitor, there’s not much you can do to prevent DNS spoofing. Rather, this falls more in the hands of the actual DNS provider that is handling a website’s DNS lookups as well as the website owner. Therefore, a few tips for site owners and DNS providers includes.
- Implement DNS spoofing detection mechanisms – it’s important to implement DNS spoofing detection software. Products such as XArp help product against ARP cache poisoning by inspecting the data that comes through before transmitting it.
- Use encrypted data transfer protocols – Using end-to-end encryption via SSL/TLS will help decrease the chance that a website / its visitors are compromised by DNS spoofing. This type of encryption allows the users to verify whether the server’s digital certificate is valid and belongs to the website’s expected owner.
- Use DNSSEC – DNSSEC, or Domain Name System Security Extensions, uses digitally signed DNS records to help determine data authenticity. DNSSEC is still a work in progress as far as deployment goes, however implement in the Internet root was level in 2010. An example of a DNS service that fully supports DNSSEC is Google’s Public DNS.
 “What Is DNS Spoofing?” available online at: https://www.keycdn.com/support/dns-spoofing/
 “DNS Spoofing”, available online at: http://infosecawareness.in/dns-spoofing
 Steinhoff, U., A. Wiesmaier, and R. Araújo, “The state of the art in DNS spoofing.” In Proc. 4th Intl. Conf. Applied Cryptography and Network Security (ACNS), 2006.
 “DNS Spoofing”, available online at: https://www.whitehatsec.com/glossary/content/dns-spoofing