What Is DNS Spoofing- Also known as "Cache Poisoning"

DNS cache poisoning, also known as DNS spoofing, is when false information is entered into a DNS cache. The intent is for DNS queries to return a false response so that users are directed to wrong websites.


What is DNS Spoofing?

Purposefully compromising a DNS (Domain name system) table with malicious intent is known as DNS Spoofing.

DNS spoofing is when a third-party enters false information into a DNS cache. Once this is done, the DNS queries follow up with an incorrect response and the user is redirected to the wrong website which may look like the intended target web page of the user.

DNS Spoofing is also known as "Cache Poisoning". When the cached information in the DNS resolver is incorrect or faulty, the traffic goes to the wrong places. In other words, your device is tricked into thinking that it is going to the right IP Address.

In most cases, DNS cache poisoning is used to take control of the internet traffic and steal personal data/credentials of users.

A DNS resolver is not capable of verifying the data in their caches and the information remains as it is until the cache is manually removed or The Time to Live expires.

The inherent flaws of the DNS resolver make such vulnerabilities possible. To counter these problems, there exists the DNSSEC which is a relatively more secure DNS protocol. Unfortunately, it has not yet been widely adopted.

A favorite approach is therefore to attack public WiFi networks, which typically use poor security protocols, and are sometimes unreliable enough to allow hackers to hide their activities under the disguise of sketchy connections.

DNS Spoofing attacks are often the first step in implementing a variety of further attacks:

  • The fake website that users are redirected to can be part of a standard phishing scam. An attacker can build a website that looks just like a legitimate one, and unsuspecting users will then enter their login details or other types of valuable data. This is one of the most common forms of attack, because it is one of the easiest to perform. It is even possible, believe it or not, to buy fully-featured kits that allow the average user to perform this type of attack.
  • A more complicated form of attack, but one that can also start by DNS Spoofing, is a man in the middle attack. In this type of attack, instead of being redirected to a fake website, the hacker intercepts information passing between the user and a server, but lets each believe they are communicating directly (and securely) with each other.
  • DNS Spoofing can also be the starting point for a Session Hijacking attack. To do this, an attacker will redirect a user to a fake website using a DNS redirect, but will also pass on any authentication information they enter to the real website. By stealing a user’s login details, an attacker can log into the real website as though they are the victim. Any information normally visible to the victim, such as credit card or banking details, is now visible to the attacker.

How to Prevent DNS Spoofing?

Unfortunately, there is little the average user can do to prevent high-level DNS Spoofing attacks. There is not much you can do about the security practices in place by your ISP, and if their servers are compromised there is no way you will be able to detect it. At this level, the best thing you can do is to scan the news for attacks against your ISP, and change provider if they look like they don’t take security seriously.

If you are a site owner, it is your responsibility to ensure that your visitors don’t fall victim to DNS Spoofing when they are using your site. You can do this in variety of ways, none of which are perfect, but when used together will make your visitors much more secure:

  • Implement DNS spoofing detection mechanisms. These come in a variety of flavours, but work in much the same way. By scanning the data passing between your site, your DNS provider, and your visitors, programs like XArp will detect suspicious activity. You can then repair any DNS tables that you have access to in order to defeat malicious redirects.
  • The use of encrypted data transfer protocols should be standard for any website, but sadly it is not. The best approach here is to implement an end-to-end encryption via SSL or TLS, in order to ensure that the data you are exchanging with your visitors cannot be intercepted and altered by an attacker. These protocols will also allow users to verify that servers’ digital certificates are valid, and to spot fake sites that are designed to look like legitimate ones.
  • Using a VPN provides you with protection against a variety of threats, including those posed by DNS Spoofing. At a basic level, a VPN will encrypt all of the information you send and share online. A VPN will do this end-to-end encryption - this ensures that no-one, besides you and the site you are communicating with, will be able to read it.
  • DNSSEC is a set of security extensions that are specifically designed to defeat DNS Spoofing attacks. At the moment, these tools are still quite underdeveloped, but already offer a pretty good level of protection against the most common types of DNS Spoofing attack. They work by digitally signing a DNS table, which allows its contents to be authenticated.

Since it is not easy to spot or detect a DNS Spoofing Attack, here are some further precautions you can take.

  • Don’t click on sketchy-looking URLs in emails from people you don’t know.
  • Don’t connect to unsecured WiFi networks, and if you have to NEVER send sensitive information over them. And yes, that includes logging in to your Facebook profile.
  • If a website doesn’t look like it is real, it isn’t. Get out of there as quickly as you can.

How Does DNS Spoofing Work?

If an attacker is able to obtain the admin password for a router, perhaps by using an Evil Twin attack, altering DNS records becomes relatively easy.

  1. The attacker puts a fake address into the DNS.
  2. As the server accepts this fake address, the cache is 'poisoned'.
  3. Now, when the user connects to this server, response to queries will be managed by the hacker.
Cache Poisoning Process

Cache Poisoning Attack – The Process Explained

The reason why a DNS resolver can not verify the data in their caches is because it uses UDP instead of TCP. TCP authenticates the devices trying to communicate with each other. In the case of UDP, the two parties are not necessarily aware of the process being legitimate. Hence, a hacker may send requests via UDP and pretend it is a response from a verified server.

If a server doesn’t know the IP address for a given URL, it will ask the server ‘above’ it for this information. If that server doesn’t know, it will ask yet another one. This process will continue until the IP is found, and this will be sent back down the chain to the user.

This means that if an attacker manages to inject incorrect DNS entries into a high-level server, this malicious information will cascade down across large sections of the internet. Each cache will be poisoned by the one above it, in other words.

Gaining access to the DNS tables held by large companies might be more difficult than compromising a public WiFi router, of course, but the rewards of doing so are correspondingly greater. A successful cache poisoning attack can affect hundreds of thousands of users, at least for a short time before the attack is detected and the DNS tables are fixed.

The Risks of Being Exposed To DNS Spoofing

For the average user, exposure to a DNS Spoofing often comes in the form of an email. This email will encourage (or frighten) users into clicking on a URL. Once clicked, malware will be loaded onto a user’s computer, and this will be used as a starting point to poison any available DNS records. Banner adverts are also a common attack vector for DNS Spoofing, especially those on sketchy websites and those contained in unsolicited emails.

Most DNS Spoofing attacks have a simple goal, albeit a scary one: to steal personal information. This can range from login details for social media sites to more obviously sensitive data like online banking details. It might not sound like someone stealing your Facebook password would be a big deal, but it could be. This is often the first step in an attacker gaining access to the other systems you use, in order to build up a profile that will allow them to impersonate you, or simply to sell this to other criminals.