What is DNS Spoofing?

What is DNS Spoofing?

DNS Spoofing is a type of Cyber Security attack where a user accidentally navigates to an attacker’s website which is disguised to look like a real one, with the intention of stealing credentials of the users or diverting network traffic. 

Domain Name Server (DNS) locates the nodes on the network and communicates with them by resolving the alphabetical domain names like www.example.com into respective IP addresses. Whereas, spoofing attacks are the cyber attacks that can go undetected for a huge epoch of time and can cause serious security issues to their Victim system. These attacks trick victims into divulging personal information through email, text messages, caller ID, even GPS receivers. 

A DNS server is used for the purpose of resolving a domain name (such as abcd.com) into the associated IP address that is mapped to it. After the DNS server finds the appropriate IP address, data transfer is initiated between the client and website’s server. DNS spoofing is performed by replacing the IP addresses stored in the DNS server with the IP addresses controlled by the attacker. Once the process by the attacker is completed on the victim’s machine, whenever the victim tries to navigate to a specific website, they are redirected to the false website created by the attacker on the spoofed DNS server. 

Methods of attacking DNS spoofing attacks 

DNS spoofing categorizes the attacks on the basis of the end goal targeted by the attacker. This type of cyber attack refers to the broad category of attacks that spoof DNS records. There are multiple ways to perform DNS spoofing, such as 

  •  Compromising a DNS server 
  •  DNS cache poisoning attack 
  •  Man-in-the-middle attack (if you can get access to the network) 
  •  Sequence number guessing (maybe making many requests) 
  •  False base station creation and fabricate the DNS server on network 

Two famous methods of performing DNS spoofing are detailed as below 

DNS Cache Poisoning – In DNS cache poisoning, the local DNS server is replaced with a compromised DNS server, which contains customized entries of genuine website names with the IP addresses replaced by the attacker. Thus, when the victim sends a request to the local DNS server for IP resolution, it communicates with the compromised DNS server, resulting in the user being redirected to a counterfeit website planted by the attacker. This attack is also simplified for the attacker, when end users use the same DNS cache, and an attacker manages to inject a forged DNS entry into that cache. For example, ISPs run a caching DNS server and route their path for customers to the DNS server. If an attacker gets through the security to update the DNS server cache with an incorrect record, then the attacker manages to successfully spoof DNS records and access all the end users who rely upon that cache. 

DNS ID Spoofing- In DNS ID spoofing, the victim sends the resolve request to the server, where the packet ID and IP information generated for the resolve request is duplicated with forged information inside it. As the response ID matches the request ID, the Victim’s machine accepts the response containing the information that is not expected. 

Attacks of DNS spoofing 

DNS Spoofing has never been an ‘easy to detect’ cyber crime. On January 9, 2019, security vendor FireEye released its report, “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale,” which went into far greater technical detail about the “how” of the espionage campaign, but contained few additional details about its victims. Also, the FireEye reports that the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the login credentials for their Internet domain records 

Also the Kaminsky attack against a vulnerable server brought awareness about the seriousness of such issues. The issue as described in CVE page is  

“The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka DNS Insufficient Socket Entropy Vulnerability or the Kaminsky bug.” 

Preventive measures for DNS Spoofing 

Multiple experts have been focused on one persistent problem with DNS-based attack, which a large number of organizations tend to take much of their DNS infrastructure for granted. For example, many organizations do not keep a track record of their DNS traffic, nor maintain a history of any changes made to their domain records. 

Common tips to prevent DNS Spoofing include maintaining the DNS software up-to-date, maintaining separate servers for public and internal services and using secure keys to sign updates received from other DNS servers to avoid updates from non-trusted sources.Few preventive measures for organizations include: 

  • Use DNSSEC – DNSSEC, or Domain Name System Security Extensions, uses digitally signed DNS records to help determine data authenticity. DNSSEC is still a work in progress as far as deployment goes, however was implemented in the Internet root level in 2010. An example of a DNS service that fully supports DNSSEC is Google’s Public DNS. 
  • Using registration features like Registry Lock that help in protecting any unauthorized modifications being performed on domain names records. 
  • Implementation of access control mechanism for applications, Internet traffic and monitoring. 
  • Using 2-factor authentication. 
  • Implementation of unique password policy and Password managers. 
  • Using Certificate monitors via different mechanisms. 
  • Implement DNS spoofing detection mechanisms such as XArp . 
  •  Use encrypted data transfer protocols – This type of encryption allows the users to verify whether the server’s digital certificate is valid and belongs to the website’s expected owner. 

John Crain, chief security, stability and resiliency officer at ICANN said 

“A lot of this comes down to data hygiene. Large organizations down to mom-and-pop entities are not paying attention to some very basic security practices, like multi-factor authentication. These days, if you have a sub-optimal security stance, you’re going to get owned. That’s the reality today. We’re seeing much more sophisticated adversaries now taking actions on the Internet, and if you’re not doing the basic stuff they’re going to hit you.”