What is DNS Spoofing? Full Guide
The Domain Name System (DNS) is a critical part of the Internet’s infrastructure. It is responsible for converting domain names (like kzero.com) into IP addresses (like 5.5.5.5). Without DNS, the Internet would be much less usable and scalable since visiting a website would require a user to remember and enter the IP address associated with that site.
DNS spoofing or DNS poisoning is a cyberattack that exploits the DNS system. The goal of this attack is to send a modified or malicious DNS record to a user requesting the IP address of a particular domain. When a computer receives this response, it will contact the indicated IP address to browse the website. With DNS spoofing, this will result in the user visiting a malicious website controlled by the attacker.
DNS spoofing can be a significant threat because it tricks users into browsing phishing sites. These attacks can be used as part of a phishing attack or to steal sensitive information that is not encrypted in transit. This article explores the DNS spoofing threat, including the various ways that it can work, how cybercriminals use it, and best practices for protecting against it.
What is DNS Spoofing?
DNS is one of the core protocols of the Internet, offering the ability to visit websites using a domain name or URL rather than — a seemingly random — IP address. However, like many major network protocols, it lacks built-in security. By default, DNS requests and responses are unencrypted and lack any authentication information. Additionally, DNS typically relies on a single, authoritative source of DNS information for a particular domain.
DNS spoofing involves substituting malicious information for legitimate DNS records. By doing so, an attacker redirects a user to a malicious website because the client computer trusts the IP address provided as part of the malicious DNS record. This substitution might allow an attacker to steal a user’s login credentials, deliver malware to their computer, or steal other sensitive information sent by an application to a seemingly trusted domain.
Types of DNS Spoofing Attacks
Often, DNS spoofing is used as a synonym for DNS poisoning. This particular threat refers to introducing fake DNS information into the caches of DNS resolvers. These resolvers act as an agent for users, doing the work of finding the right IP address for a requested domain.
However, a similar effect can be accomplished in various ways. This includes targeting the source of the DNS records, resolver caches, or the DNS response traveling over the network.
Cache Poisoning
A DNS cache poisoning attack targets the local cache of a DNS resolver. The role of a DNS resolver is to act as an intermediary between a user and DNS servers. When presented with a DNS request, the resolver will first check its local cache for the requested information.
If the desired DNS entry isn’t in the local cache, the resolver communicates with DNS servers to find the appropriate IP address. This will likely involve making multiple DNS requests, starting with a DNS root server and working down through the DNS hierarchy until it identifies the server holding the DNS entry for the requested domain. This final DNS server will send the resolver a DNS response containing the IP address that can be used to find the site requested by the user.
In a DNS cache poisoning attack, the attacker tricks a DNS resolver into including incorrect and malicious data in its local cache. This typically begins with the attacker performing a request for the domain whose record they want to poison in the resolver’s cache.
If the resolver doesn’t have a cached copy of that record, it will begin communicating with DNS servers to find the correct IP address. At this point, the attacker will send a spoofed, malicious DNS response to the DNS resolver. Since DNS doesn’t have encryption or authentication by default, the attacker can masquerade as the DNS server that the resolver asked for this information.
After receiving a DNS response, the resolver will send that data to the attacker, who made the initial DNS request. It will also include a copy of this DNS record in its local cache to speed up future requests for that domain.
If another user makes a request for the same domain, the resolver will respond to the request based on the records in its local cache. As a result, the user will receive the poisoned DNS data that will direct them to the malicious website.
Man-in-the-Middle (MitM) Attacks
A Man-in-the-Middle (MitM) or on-path attack involves the attacker intercepting, reading, and potentially modifying traffic en route to its destination. MitM attacks can be performed in various ways, including ARP spoofing, evil twin wireless networks, and malware.
MitM attacks can be used for DNS spoofing because DNS traffic is not encrypted or authenticated by default. This means that anyone who intercepts DNS traffic can read and modify it en route to its destination. Additionally, an attacker has the ability to forge DNS responses, as demonstrated in the DNS cache poisoning attack.
In a MitM DNS spoofing attack, the attacker will intercept the response to a DNS request. This could be between a DNS resolver and a DNS server or between the end user and the DNS resolver. By intercepting this traffic, the attacker can send a malicious version of the DNS response that points the user to an IP address associated with a malicious site.
DNS Pharming
DNS cache poisoning and MitM attacks target the process by which DNS records move from a DNS server to the end user. DNS pharming attempts to manipulate DNS records at the source: the DNS server responsible for a particular domain.
Every domain has one or more DNS servers that are responsible for responding to DNS requests for that domain. In a DNS pharming attack, the attacker modifies these authoritative records to point to a malicious IP address.
This can be accomplished in various ways. For example, an attacker might be able to guess or steal the password that a domain owner uses to manage their accounts. With this access, the attacker could update the DNS entries to point to the malicious IP address.
DNS pharming attacks have a much greater impact than DNS cache poisoning or MitM attacks. In these other attacks, the only parties affected are the ones using a particular DNS resolver or whose traffic is intercepted and modified by the attacker. With pharming, anyone requesting the targeted domain receives the malicious DNS record and IP address.
Use Cases of DNS Spoofing
The goal of DNS spoofing is to redirect users to a malicious website. This can be used to accomplish a couple of different goals.
Phishing Attacks
One of the most common uses for DNS spoofing is as part of a phishing campaign. Most anti-phishing training focuses on checking and verifying the URL shown in a browser’s address bar.
With a DNS spoofing attack, the URL can look right when the user is directed to a malicious website. The reason for this is that the mapping of the URL to the IP address is based on the DNS entry that the browser trusts and that the attacker has modified.
As a result, DNS spoofing can make phishing sites and campaigns look more realistic. However, they don’t enable the attacker to forge digital certificates, so the browser should generate a warning about the site being insecure.
Data Theft and Espionage
DNS spoofing also has the potential to enable data theft. This occurs when DNS records are used to determine where data should be sent out from an application to a server.
For example, many mobile apps and Internet of Things (IoT) devices rely on backend cloud servers and may occasionally POST data to them. A DNS spoofing attack could redirect these communications, potentially exposing sensitive data if it has not been properly protected by encryption.
Recent Examples of DNS Spoofing
DNS spoofing attacks can affect an individual or a number of different parties. Often, this depends on the techniques used in the attack.
One example of a DNS spoofing attack was a 2018 incident involving MyEtherWallet, a cryptocurrency wallet provider. The attacker corrupted DNS records to redirect users to a malicious site, allowing them to steal an estimated $150,000 in cryptocurrency from various users.
This attack involved a BGP hijacking attack, which redirected traffic to the AWS DNS service — Route 53 — to an attacker-controlled system. This allowed the attacker to respond to DNS requests and direct users to a phishing site. After users clicked through an HTTPS error message, the site would transfer their cryptocurrency to an attacker-controlled address.
How to Prevent DNS Spoofing
DNS spoofing has the potential to enable phishing attacks and data breaches. Organizations can use various methods to protect against these attacks.
DNSSEC (Domain Name System Security Extensions)
DNSSEC is an extension designed to address some of the security gaps of the DNS protocol. Namely, it focuses on authenticating the information provided in DNS responses.
DNSSEC uses public key cryptography and digital signatures to ensure the authenticity and integrity of DNS data. By doing so, it blocks DNS cache poisoning and MitM attacks that rely on intercepting and modifying DNS responses. However, it can’t protect against pharming attacks where the attacker poisons the original source of DNS information.
Encrypted DNS
One of the main security flaws of DNS is that it lacks encryption and authentication. This enables attackers to intercept and modify DNS responses en route to their destination.
DNS over HTTPS (DoH) and DNS over TLS (DoT) are protocols designed to address this issue. They use TLS to protect DNS traffic against MitM and similar attacks. Using these protocols both protects against DNS spoofing and helps to protect the privacy of a user’s web browsing by preventing eavesdropping on DNS traffic.
DNS Filtering and Threat Intelligence
The goal of a DNS spoofing attack is to redirect a user to a malicious website. This is accomplished by creating a fake mapping from a trusted domain or URL to a malicious IP address.
Threat intelligence feeds provide information on known-bad websites that DNS spoofing may be used to direct users to. Using this information, DNS filtering can identify DNS responses pointing to known-bad IP addresses — whether due to DNS spoofing, phishing, or other means — and block users from visiting these malicious sites.
DNS Server Updates and Patching
DNS pharming attacks target the source of DNS information. By injecting malicious DNS records into a DNS server, an attacker can redirect all future visitors to a poisoned domain.
One of the means by which an attacker can gain the necessary access to perform a pharming attack is by exploiting vulnerabilities in DNS servers or resolvers. The operators of these systems should perform regular patching and updates to ensure that any vulnerabilities are closed before they can be exploited by an attacker.
Conclusion
DNS spoofing is a cyberattack that targets one of the fundamental protocols that make the Internet work. DNS is responsible for translating easily remembered domain names (like kzero.com) into IP addresses (like 5.5.5.5). DNS spoofing uses various means to poison DNS responses with malicious information that directs users to malicious websites.
These attacks can be used to achieve various purposes for the attacker. DNS spoofing can be used as part of a phishing campaign, making these attacks more believable to a target. Alternatively, they can be used to steal sensitive data that an application or device transmits to an IP address resolved via a DNS lookup.
DNS spoofing attacks can be used to steal sensitive data including users’ login credentials, in various ways. For example, a DNS spoofing attack could direct users to a login page where they would enter in their password, sending it straight to an attacker.
Kelvin Zero’s Multi-Pass provides protection against this and other threats to users’ accounts by replacing passwords with multi-factor authentication (MFA) based on secure biometrics. Learn more about enhancing the security of employee and customer accounts with Multi-Pass today.