Previously we looked at a MITM (Man-In-The-Middle) hacking technique called ARP spoofing; now we will look at what is known as DNS spoofing. DNS Spoofing is again like ARP spoofing; it’s a MITM attack that provides wrong (false) name resolving information about an IP. For example let’s say you have your bank website:
www.mybank.com and the IP of that webserver is 22.214.171.124. DNS spoofing is going to provide you with an incorrect IP let’s say 126.96.36.199 (the attacker’s IP) that mirrors www.mybank.com and you will not realise as they appear to be identical. This is the way your personal credentials can be stolen.
The DNS protocol is responsible to resolve names into IP’s. If for example you want to connect to a website, let’s say www.google.com its hard to remember the IP 188.8.131.52. Even if you remember one in particular, you will not be able to remember all the websites you visit. As a human remembers people’s names, the DNS helps us to resolve these names into something a computer understands, IP addresses. There are millions of DNS servers around the world. A DNS server is storing a database of entries (records) with IP’s mapping to names.
The DNS functions have a query and response type; when a host wants to resolve a name into an IP, it does so by sending a query to the DNS server; the server looks into his database and send’s the requested information back. From the host’s perspective, there are only 2 packets that have passed the query and response type. Due to the internet’s rapid expansion, one DNS server alone is incapable of holding the entire database mapping of all names and updates, so it needs to communicate with other DNS servers in order to receive queries it doesn’t have.
Each query that is sent from the host contains a unique identification number that recognises the responses; a hacker can easily capture that packet and create a new fake one containing the same number in order for the target to be tricked into thinking it is the right response and accept the packet.
In order to capture the DNS query, the attacker performs ARP poisoning which is sent to the targeted network devices in order to change the ARP cache; he can then reroute (redirect) the traffic to his own DNS server with the fake resolved names to IP’s.
Once this has taken place, all the user has to do is access his bank account online, and the attacker can then create a webpage on his own webserver, mirroring a copy of the banks webpage, making the client believe that the false server’s IP is the legitimate one, and essentially, the victim’s client will send and communicate with the wrong server thinking that it is the correct one. This will allow the attacker to receive all the users’ login details.
How to Protect Against DNS Spoofing.
Usually it is very hard to identify if you are under attack, however there are some solutions that can help you out, for example you can secure your computers with a good antivirus so it will prevent infections of your network.
You can also use a gateway firewall or good IDS (Intrusion Detection System). There are many firewalls where you can enable the ARP inspection in order to prevent any DNS poisoning.
Another way is to statically set the hosts file on your system, firstly the system looks into the file, which in turn can then inspect the DNS cache before timing out and making any request.
A new method is the use of DNSSEC; by using digitally signed DNS records to ensure that the query response is legitimate. This is a relatively new method that is not widely used yet.