Domain Name System (DNS) poisoning and spoofing are types of cyberattack that exploit DNS server vulnerabilities to divert traffic away from legitimate servers towards fake ones. Once you’ve traveled to a fraudulent page, you may be puzzled on how to resolve it — despite being the only one who can. You’ll need to know exactly how it works to protect yourself.
DNS spoofing and by extension, DNS cache poisoning are among the more deceptive cyberthreats. Without understanding how the internet connects you to websites, you may be deceived into thinking a website itself is hacked. In some cases, it may just be your device. Even worse, cybersecurity suites can only stop some of the DNS spoof-related threats.
You might be wondering, “what is a DNS?” To reiterate, DNS stands for “domain name system.” But before we explain DNS servers, it’s important to clarify the terms involved with this topic.
An Internet Protocol (IP) address is the number string ID name for each unique computer and server. These IDs are what computers use to locate and “talk” to each other.
A domain is a text name that humans use to remember, identify, and connect to specific website servers. For example, a domain like “www.example.com” is used as an easy way to understand the actual target server ID — i.e. an IP address.
A domain namesystem (DNS) is used to translate the domain into the corresponding IP address.
Domain name system servers (DNS servers) are a collective of four server types that compose the DNS lookup process. They include the resolving name server, root name servers, top-level domain (TLD) name servers, and authoritative name servers. For simplicity, we’ll only detail the specifics on the resolver server.
Resolving name server (or recursive resolver) is the translating component of the DNS lookup process residing in your operating system. It is designed to ask — i.e. query — a series of web servers for the target IP address of a domain name.
Now that we’ve established a DNS definition and general understanding of DNS, we can explore how DNS lookup works.
When you search for a website via domain name, here’s how the DNS lookup works
The DNS lookup process is the vital framework used by the entire internet. Unfortunately, criminals can abuse vulnerabilities in DNS meaning you’ll need to be aware of possible redirects. To help you, let’s explain what DNS spoofing is and how it works.
In regard to DNS, the most prominent threats are two-fold:
Among the various methods for DNS spoof attacks, these are some of the more common:
Man-in-the-middle duping: Where an attacker steps between your web browser and the DNS server to infect both. A tool is used for a simultaneous cache poisoning on your local device, and server poisoning on the DNS server. The result is a redirect to a malicious site hosted on the attacker’s own local server.
DNS server hijack: The criminal directly reconfigures the server to direct all requesting users to the malicious website. Once a fraudulent DNS entry is injected onto the DNS server, any IP request for the spoofed domain will result in the fake site.
DNS cache poisoning via spam: The code for DNS cache poisoning is often found in URLs sent via spam emails. These emails attempt to frighten users into clicking on the supplied URL, which in turn infects their computer. Banner ads and images — both in emails and untrustworthy websites — can also direct users to this code. Once poisoned, your computer will take you to fake websites that are spoofed to look like the real thing. This is where the true threats are introduced to your devices.
Here are common risks of DNS poisoning and spoofing:
DNS spoofing poses several risks, each putting your devices and personal data in harm’s way.
Data theft can be particularly lucrative for DNS spoof attackers. Banking websites and popular online retailers are easily spoofed, meaning any password, credit card or personal information may be compromised. The redirects would be phishing websites designed to collect your info.
Malware infection is yet another common threat with DNS spoofing. With a spoof redirecting you, the destination could end up being a site infested with malicious downloads. Drive by downloads are an easy way to automate the infection of your system. Ultimately if you’re not using internet security, you’re exposed to risks like spyware, keyloggers or worms.
Halted security updates can result from a DNS spoof. If spoofed sites include internet security providers, legitimate security updates will not be performed. As a result, your computer may be exposed to additional threats such as viruses or Trojans.
Censorship is a risk that is actually commonplace in some parts of the world. For example, China uses modifications to the DNS to ensure all websites viewed within the country are approved. This nation-level block, dubbed the Great Firewall, is one example of how powerful DNS spoofing can be.
Specifically, eliminating DNS cache poisoning is difficult. Since cleaning an infected server does not rid a desktop or mobile device of the problem, the device will return to the spoofed site. Furthermore, clean desktops connecting to an infected server will be compromised again.
When looking to prevent DNS spoofing, user-end protections are limited. Website owners and server providers are a bit more empowered to protect themselves and their users. To appropriately keep everyone safe, both parties must try to avoid spoofs.
Here's how to prevent for website owners and DNS service providers:
Here’s how to prevent for endpoint users:
As a website owner or DNS server provider, the responsibility to defend users is firmly in your hands. You can implement various protective tools and protocols to keep threats out. Among these resources, you would be wise to use some of the following:
Users are particularly vulnerable in these to avoid being a victim of a DNS poisoning attack, you should follow these simple tips:
Don’t leave yourself vulnerable to DNS spoofing and malware attacks. Protect yourself today with Kaspersky Security Cloud — available for both Windows PC and Mac iOS.