Purposefully compromising a DNS (Domain name system) table with malicious intent is known as DNS Spoofing.
DNS spoofing is when a third-party enters false information into a DNS cache. Once this is done, the DNS queries follow up with an incorrect response and the user is redirected to the wrong website which may look like the intended target web page of the user.
DNS Spoofing is also known as "Cache Poisoning". When the cached information in the DNS resolver is incorrect or faulty, the traffic goes to the wrong places. In other words, your device is tricked into thinking that it is going to the right IP Address.
In most cases, DNS cache poisoning is used to take control of the internet traffic and steal personal data/credentials of users.
A DNS resolver is not capable of verifying the data in their caches and the information remains as it is until the cache is manually removed or The Time to Live expires.
The inherent flaws of the DNS resolver make such vulnerabilities possible. To counter these problems, there exists the DNSSEC which is a relatively more secure DNS protocol. Unfortunately, it has not yet been widely adopted.
A favorite approach is therefore to attack public WiFi networks, which typically use poor security protocols, and are sometimes unreliable enough to allow hackers to hide their activities under the disguise of sketchy connections.
DNS Spoofing attacks are often the first step in implementing a variety of further attacks:
Unfortunately, there is little the average user can do to prevent high-level DNS Spoofing attacks. There is not much you can do about the security practices in place by your ISP, and if their servers are compromised there is no way you will be able to detect it. At this level, the best thing you can do is to scan the news for attacks against your ISP, and change provider if they look like they don’t take security seriously.
If you are a site owner, it is your responsibility to ensure that your visitors don’t fall victim to DNS Spoofing when they are using your site. You can do this in variety of ways, none of which are perfect, but when used together will make your visitors much more secure:
Since it is not easy to spot or detect a DNS Spoofing Attack, here are some further precautions you can take.
If an attacker is able to obtain the admin password for a router, perhaps by using an Evil Twin attack, altering DNS records becomes relatively easy.
The reason why a DNS resolver can not verify the data in their caches is because it uses UDP instead of TCP. TCP authenticates the devices trying to communicate with each other. In the case of UDP, the two parties are not necessarily aware of the process being legitimate. Hence, a hacker may send requests via UDP and pretend it is a response from a verified server.
If a server doesn’t know the IP address for a given URL, it will ask the server ‘above’ it for this information. If that server doesn’t know, it will ask yet another one. This process will continue until the IP is found, and this will be sent back down the chain to the user.
This means that if an attacker manages to inject incorrect DNS entries into a high-level server, this malicious information will cascade down across large sections of the internet. Each cache will be poisoned by the one above it, in other words.
Gaining access to the DNS tables held by large companies might be more difficult than compromising a public WiFi router, of course, but the rewards of doing so are correspondingly greater. A successful cache poisoning attack can affect hundreds of thousands of users, at least for a short time before the attack is detected and the DNS tables are fixed.
For the average user, exposure to a DNS Spoofing often comes in the form of an email. This email will encourage (or frighten) users into clicking on a URL. Once clicked, malware will be loaded onto a user’s computer, and this will be used as a starting point to poison any available DNS records. Banner adverts are also a common attack vector for DNS Spoofing, especially those on sketchy websites and those contained in unsolicited emails.
Most DNS Spoofing attacks have a simple goal, albeit a scary one: to steal personal information. This can range from login details for social media sites to more obviously sensitive data like online banking details. It might not sound like someone stealing your Facebook password would be a big deal, but it could be. This is often the first step in an attacker gaining access to the other systems you use, in order to build up a profile that will allow them to impersonate you, or simply to sell this to other criminals.