DNS Spoofing attacks also have a feature that makes them extra dangerous. If your router doesn’t know where to find a particular site, it will query the DNS table held by your ISP. If your ISP doesn’t know, it will ask yet another server, and so on up the chain.
You can see the problem: if an attacker manages to alter the DNS table of a relatively high level server, this incorrect information will cascade down across large sections of the internet.
This has occasionally happened by accident.
In 2010, an ISP based in Sweden accidentally populated their DNS tables with information drawn from China. Users routed through this server then received Chinese versions of many popular sites including Facebook, Twitter, and Youtube. These users noticed the mistake when the versions of the sites they received were clearly censored according to the Chinese government’s ‘Great Firewall’.
Though the mistake was quickly rectified, it reminded everyone of the danger of DNS Spoofing attacks, and just how quickly they can spread.
To understand DNS Spoofing, we first need to understand what the DNS system is.
DNS is a fundamental part of how the internet works. The aim is to convert a human-readable domain name (something like example.com) into a numerical code that your computer understands. This code is called an IP address.
When you type a URL into a browser, a server will translate this into an IP. The first server that will be asked to do this is normally your WiFi router. If the router doesn’t know the IP address that corresponds to your requested URL, it will ask the server that sits ‘above’ it, which is normally a server owned by your ISP.
In order to speed up these requests, most servers will remember a set number of URLs and their corresponding IPs, and it will hold on to this information for a set period of time before checking them again. This is called a DNS cache.
The DNS cache is a great feature, because it makes looking up an IP much quicker. It can also create some problems, though. If an attacker gains access to the DNS lookup table, they can alter the IP addresses it holds. This means that, when your devices ask for an IP address for a website you want to visit, the server will tell them to look in the wrong place, and you can be re-routed to a fake site controlled by an attacker.
This is dangerous because the fake site will probably look exactly the same as the legitimate one you are looking for. You won’t notice the difference, and your device probably won’t either.
Purposefully compromising a DNS table with malicious intent is known as DNS Spoofing.
The aim of a DNS Spoofing attack is to redirect users to a website or location controlled by the attacker. They are typically hard to spot, precisely because they make use of the normal system that devices and servers use to find websites. If implemented correctly, this means that an incorrect IP address looks exactly the same as a real one, and neither user nor server will be aware that an attack as taken place.
This type of attack starts when an attacker injects a forged DNS entry into a server. Sometimes, this is done at a relatively high level, by attacking an ISP. Sometimes, it can be achieved by simply taking control of personal or corporate WiFi router. If an attacker is able to obtain the admin password for a router, perhaps by using an Evil Twin attack, altering DNS tables becomes relatively easy.
A favourite approach is therefore to attack public WiFi networks, which typically use poor security protocols, and are sometimes unreliable enough to allow attackers to hide their activities under the disguise of sketchy connections.
Once users have been redirected to an incorrect site or location, an attacker can launch further attacks aimed at stealing sensitive or confidential information, stealing money, or simply just impersonating a user.
DNS Spoofing attacks are often the first step in implementing a variety of further attacks:
Whatever the attack method, though, the goals are the same. These can be to steal personal information, either to sell this or to blackmail the victim into paying the attacker. Alternatively, an attacker can seek to gain access to a victim’s online banking accounts, and simply pay himself (or herself) a fat bonus from their account.
DNS Cache Poisoning is a related form of attack, and in fact this term is sometimes used interchangeably with DNS Spoofing.
Though any DNS Spoofing attack technically makes use of ‘cache poisoning’, in the industry cache poisoning is more often used to refer to large-scale, high-level DNS attacks that aim to affect many users rather than targeting a particular individual.
Cache poisoning attacks make use of a feature of the DNS system that we’ve already mentioned. If a server doesn’t know the IP address for a given URL, it will ask the server ‘above’ it for this information. If that server doesn’t know, it will ask yet another one. This process will continue until the IP is found, and this will be sent back down the chain to the user.
This means that if an attacker manages to inject incorrect DNS entries into a high-level server, this malicious information will cascade down across large sections of the internet. Each cache will be poisoned by the one above it, in other words.
Gaining access to the DNS tables held by large companies might be more difficult than compromising a public WiFi router, of course, but the rewards of doing so are correspondingly greater. A successful cache poisoning attack can affect hundreds of thousands of users, at least for a short time before the attack is detected and the DNS tables are fixed.
For the average user, exposure to a DNS Spoofing attack often comes in the form of an email. This email will encourage (or frighten) users into clicking on a URL. Once clicked, malware will be loaded onto a user’s computer, and this will be used as a starting point to poison any available DNS tables. Banner adverts are also a common attack vector for DNS Spoofing attacks, especially those on sketchy websites and those contained in unsolicited emails.
If you fall victim to a DNS Spoofing attack, you open yourself up to a variety of risks:
If all this is starting to make you worried, then better late than ever: you’ve taken the first step to avoiding DNS Spoofing attacks. Now, let’s look at what you can do about them.
Unfortunately, there is little the average user can do to prevent high-level DNS Spoofing attacks. There is not much you can do about the security practices in place by your ISP, and if their servers are compromised there is no way you will be able to detect it. At this level, the best thing you can do is to scan the news for attacks against your ISP, and change provider if they look like they don’t take security seriously.
If you are a site owner, it is your responsibility to ensure that your visitors don’t fall victim to DNS Spoofing when they are using your site. You can do this in variety of ways, none of which are perfect, but when used together will make your visitors much more secure:
These tools are great ways for site owners to limit the risk of DNS Spoofing, but what about the rest of us?
Sadly, DNS Spoofing is quite hard to avoid and detect at the level of individual users. Avoiding this type of attack should start with the same defence mechanisms that you use against all forms of cyber attack, and which we should all know by now:
Finally, if you really want to stay safe from DNS Spoofing, and in fact from all the most common cyber threats, you should really …
A Virtual Private Network (VPN) provides you with protection against a variety of threats, including those posed by DNS Spoofing. At a basic level, a VPN will encrypt all of the information you send and share online. A VPN will do this end-to-end encryption - this ensures that no-one, besides you and the site you are communicating with, will be able to read it.
When it comes specifically to DNS Spoofing attacks, a quality VPN will also offer protection measures specifically designed to defeat this kind of attack. PureVPN, for instance, offers DNS leak protection. This automatically prevents your device from being diverted by compromised DNS tables.
In addition, a VPN will protect you against the type of attacks that can follow an initial DNS redirect. Because a VPN keeps all of your data encrypted, even on public WiFi networks, an attacker will never be able to read or alter this information.
DNS Spoofing attacks have been around for years, but are still common. Because they exploit one of the most fundamental parts of the way the internet works, the DNS system can be very hard to detect and defeat.
Though the risks of falling victim to a DNS attack are enormous, there are also some basic things you can do to protect yourself. First and foremost, you should know what a DNS Spoofing attack looks like, and how it works. If you’ve read this far, then you should have that covered!
Beyond that, avoiding DNS Spoofing is all about vigilance. If a website looks sketchy, don’t use it. If an email looks suspicious, delete it. And always use the encryption offered by a VPN, just in case someone is listening in.
Take a look at our other guides to ensure you can spot other types of attack.