What Is DNS Spoofing- Also known as “Cache Poisoning”

What is DNS Spoofing?

Domain Name System (DNS) Spoofing is also known as DNS cache poisoning. DNS Spoofing is an attack in which DNS records are altered to redirect users to a fraudulent website that may resemble the user’s intended destination.

In layman terms, your computer is tricked into thinking that it is going to the correct IP address. Once the user has landed at the destination, the victim is prompted to log into their account. This gives the attacker an opportunity to steal the victim’s personal information which may include credentials and confidential data.

Moreover, the malicious website can also be used to infiltrate the user’s device to install viruses or worms giving the attacker long term access to the victim’s device.

How Does DNS Spoofing Work?

DNS Cache Poisoning

A DNS cache is a universal storage of IP addresses and domain names. The term “cache” refers to the stored DNS records by a server. In the case that the DNS server closest to you can not find your intended target (IP address), it sends a request to other DNS servers until the IP address for your destination is found. That new entry is then stored to your cache by the DNS Server, in other words, the DNS server is compromised.

Similarly, DNS Cache poisoning is when false information is entered into a DNS cache. That incorrect information will stay in the DNS cache until the TTL (Time to Live) expires, unless manually removed. TTL (Time to Live) is the designated time associated with an IP address. If the malicious website the user is redirected to resembles the intended target website, he/she may not be able to tell the difference which makes DNS Spoofing quite difficult to spot.

Man-In-The-Middle-Attack

DNS Spoofing can also be carried out using a MiTM (man-in-the-middle-attack), or more commonly known as Eavesdropping. In this case, the attacker can intercept the communication between the victim and the DNS server with the intention to re-route the victim to a malicious website/IP address.

Response Forgery

Recurring queries are not authenticated each time by a server because the first response is the one that is stored and as mentioned previously, it lives until a specified duration of time. During this time the attacker can send a forged response to the user. This can be done by using the “birthday attack” which involves making guesses based on probability. Once the attacker has successfully guessed the transaction ID of your DNS request, he/she will try to forward a faked response with forged DNS entry before the real response gets to you.

Is DNS Poisoning Easy?

The vulnerabilities present in the DNS caching process makes DNS poisoning relatively easier. However, because the DNS resolver does actually query the authoritative name server, attackers have only a few milliseconds to send the fake DNS requests before the real reply from the authoritative name server arrives.

The Domain name system (DNS) standard was created in the early 1980s. Back then, security was not a major concern for the people. The SSL networking protocol was not published until 1995 so there was barely any awareness regarding securing connections between web clients and web servers over an insecure network. Moreover, encryption was very expensive for the underpowered devices of the past millennium to handle.

Fortunately, new standards and security protocols have been created to combat DNS attacks, but implementation of these standards has been slow and is yet to be widely adopted.

How To Prevent Against DNS Spoofing?

DNSSEC

A DNS is not encrypted making it easy for a hacker to forge entries and intercept traffic with spoofing. The DNSSEC (Domain Name System Security Extension) Protocol is the most popular prevention technique against DNS Spoofing because it secures the DNS by adding layers of authentication and verification. This, however, makes the DNS response slow as it takes time to ensure the DNS entries were not forged.

Use Encryption

Use encryption like SSL/TLS which would prevent or mitigate the possibility of a website being compromised by DNS Spoofing. This way a user can verify whether the server is legitimate and belongs to the original owner of the website.

Active Monitoring

Active monitoring is another security measure or a proactive approach to prevent a DNS attack. It is essential to monitor DNS data and be proactive to realize new patterns in behavior like the appearance of a new external host which could potentially be an attacker.

Use HTTPS

Only trust URLs that contain “https” which legitimizes a website. If the indication of “https” appears to be in flux, consider the possibility of a potential DNS Spoofing Attack.