Open in app

Sign in

Write

Sign in

DNS(Domain Name System) Spoofing

Damsak Bandara
6 min readMay 19, 2021

--

Domain Name System (DNS)

Fig 1: DNS

This is the “phonebook” of the internet. DNS translates the domain names into the corresponding IP addresses to load the internet resources. It is a directory of names with the relevant IP addresses. This directory is distributed around the world and stored on DNS servers. These servers communicate with each other and exchange updated information about domain names on a regular basis.

Domain names— This refers to the website name(Example: Facebook).

IP addresses — The unique address that identifies a device on a local network or on the internet.

Web servers interact through the IP addresses. However, as humans, we cannot remember all the related addresses. We enter only the name of the website we want to visit without specifying any IP addresses. Domain name systems do this necessary conversion for us and load the correct web page.

How DNS works?

Let’s try to understand the DNS process by dividing the main operations into 5 main steps.

Step 01: Requesting Website Information

After the user enters a domain name, the computer will look for an IP address associated with that name in its local DNS cache. The local cache contains information about recently saved websites. The site will be loaded if the requested website is within this cache. Otherwise, it will perform a DNS query.

Step 02: Contact Recursive DNS Servers

After performing the DNS query, the request will come to the Recursive DNS servers. These servers also have a local cache associated with them. The website will be loaded if the corresponding information is available in this. Otherwise, the query will go to the next step.

Step 03: Query Authoritative DNS Servers

The query will come to this state if the requested information is not available in the recursive server’s local cache. These servers are responsible for storing large amounts of IP addresses and their corresponding domain names.

Step 04: Access DNS Record

The local cache will store the IP address and Domain name after getting the requested values from the Authoritative DNS server or Recursive DNS server. Al these cached records have a “time-to-live” value. This value will determine the expiry date of the record.

Step 05: Final DNS stage

At this stage, the IP address is identified and passed to the browser. The browser will then display the content.

There are 4 main types of DNS servers.

Recursive Name Server

Refers to the servers which receive queries for informational purposes. There is no storage of DNS records in these servers. It just contains a cache memory. If the record is not available in the cache memory, the query is redirected to other recursive name servers and this continues until it reaches the authoritative DNS server.

Authoritative DNS Server

Stores a large amount of DNS records and will only reply to queries that are locally stored in DNS zone files.

DNS Zones

A dedicated administrative space within the DNS. Each zone has the resource records of its domain names.

DNS Zone File

Responsible for holding all the records for every domain belonging to that particular zone. A zone file contains a field called TTL(Time to Live). This determines the time of a DNS record within the server’s cache.

We can use the following commands to view the available details about the network such as DNS settings, IP addresses, Versions of the IP addresses, subnet mask, default gateway, etc.

In windows —

Ipconfig/all

In macOS and Linux —

/sbin/ifconfig

So the output will be —

Fig 2: Network details

Attackers can carry out various attacks using this Domain Name System. Some of them are DNS reflection attacks, DNS cache poisoning, DNS resource exhaustion, etc.

DNS Spoofing

Standard Definition —

“DNS spoofing is an attack in which altered DNS records are used to redirect online traffic to a malicious website that resembles its intended Destination”

In simple terms, DNS spoofing is a cyber-attack where a user is forced to navigate to a malicious website that is made to look like a legitimate one. This is done by diverting the network traffic. There are two main ways to perform DNS spoofing attacks.

  • DNS Cache Poisoning
  • DNS ID Spoofing

DNS Cache Poisoning

Fig 3: DNS cache Poisoning

In DNS cache poisoning, the system logs the fraudulent IP addresses to the local cache. Then the user will always be redirected to those malicious websites even though he/she entered the correct website name.

DNS ID Spoofing

DNS ID Spoofing is carried out by duplicating the packet ID and IP information generated for the resolve request of the client with fake information. The client will accept this as the response ID matches the request ID.

Risks associated with DNS Spoofing

Phishing attacks —

This is the most common reason to carry out DNS Spoofing. Attackers may primarily target users of online banking sites, social networks, etc. They may try to redirect these users to their malicious websites. Then the users may enter the username and password which will be saved in the attacker's private database. Then their bank accounts may be compromised.

Malware Injection —

DNS Spoofing automatically redirects the users. The redirected website could be a website infested with various malicious downloads. It could infect the system and create various issues.

Halted Security Updates —

Attackers may target security websites on the internet. That means the necessary security updates will not be downloaded to the machine. These new security patches are a must to protect systems against cyber attacks.

How to prevent DNS Spoofing?

As users —

  1. Use a DNS spoofing detection tool.
  2. Stop clicking on links that you don't recognize.
  3. Regularly perform security scans to detect malware.
  4. Use a Virtual Private Network(VPN).
  5. Always visit websites with “HTTPS”.

As Server Managers —

  1. Setup and maintain separate private DNS servers.
  2. Lower the TTL(time to live)value.
  3. Disable “Hosts” file resolution.
  4. Use DNS forwarders only to verified DNS servers.
  5. Cluster DNS resources.

DNSSEC to prevent DNS Spoofing

DNSSEC stands for Domain Name System Security Extensions. It uses digital signature-based public key cryptography to strengthens the standard authentication in DNS. In DNSSEC, the recursive DNS server has a validating mechanism to verify the result before storing it in the cache. For validation purposes, DNSSEC provides few different DNS resource record types.

  • Resource Record Signature (RRSIG): Contains cryptographic signature for a particular record.
  • DNSKEY: It is the public key that is used in the DNS authentication process.
  • Delegation Signer (DS): Hashed “fingerprint” of the public DNSKEY
  • Next Source Record(NSEC): Returns next valid record name.
  • NSEC3 parameter: Holds required parameters for DNS server.

DNSEC Validation process will happen as follows and it will protect the system from DNS Spoofing attacks.

Fig 4: DNSSEC Validation

References —

How to Prevent DNS Poisoning and DNS Spoofing

DNS spoofing and poisoning. Simply the name conjures up the kind of thoughts that keep network admins up at night. What…

cybersecurity.att.com

What is DNS Spoofing | Cache Poisoning Attack Example | Imperva

Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is an attack in which altered DNS records are used to…

www.imperva.com

What is DNS and how does it work?

The Domain Name System (DNS) is one of the foundations of the internet, yet most people outside of networking probably…

www.networkworld.com

DNS
Dns Spoofing
Dns Poisoning
Dnssec
Dns Servers

--

--

Damsak Bandara
Damsak Bandara

Written by Damsak Bandara

130 Followers
13 Following

Software Engineer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams