"Domain Name Server (DNS)" is a standard protocol that helps Internet users discover websites using human readable addresses. Like a phonebook which lets you look up the name of a person and discover their number, DNS lets you type the address of a website and automatically discover the Internet Protocol (IP) address for that website.
Without DNS, the Internet would collapse - it would be impossible for people and machines to access Internet servers via the friendly URLs they have come to know.
In simple words, The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.
"Each device connected to the Internet has a unique IP address which other machines use to find the device. DNS servers eliminate the need for humans to memorize IP addresses such as 192.168.1.1 (in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6)."
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer.
DNS spoofing occurs when a particular DNS server’s records of spoofed or altered maliciously to redirect traffic to the attacker. This redirection of traffic allows the attacker to spread malware, steal data, etc.
For example, if a DNS record is spoofed, then the attacker can manage to redirect all the traffic that relied on the correct DNS record to visit a fake website that the attacker has created to resemble the real site or a different site completely.
DNS spoofing occurs when someone—usually a hacker—alters the entries in a nameserver’s DNS resolver cache. This is akin to changing someone’s phone number in the phone book. For example, if someone changed the entry for “CYBER4ALL.in,” any of our readers using that nameserver would be diverted to whatever IP address the hacker specified.
There are a number of reasons why a hacker or other entity might do this:
Launch an attack:
By changing the IP address for a popular domain like Google.com, for example, a hacker could divert a large amount of traffic to a server incapable of handling so much traffic. This can cause the server to slow down, stop, and encounter numerous errors. Such a “denial-of-service” attack can shut down a website or game server, for example.
A corrupted DNS entry can redirect users to websites they do not intend to visit. A hacker might use this to send victims to a phishing site. Phishing sites often look identical to the real website but are operated by a hacker, tricking the user into entering private information such as their username and password. ISPs sometimes use DNS redirection to serve advertisements and collect user browsing data.
Browsing the web is nearly impossible without DNS, so whoever controls the DNS server controls who sees what on the web. Government-controlled ISPs in China, for instance, use DNS tampering as part of their nationwide censorship system, known as the Great Firewall, to block websites from public view.
Tampering with an existing DNS nameserver’s resolver cache, or
Creating a malicious DNS nameserver and spreading malware that makes routers and end user devices use it
Tampering with a nameserver’s DNS resolver cache can be done either intentionally by the administrator, such as an ISP that wants to serve ads or censor content, or by a hacker.
DNS Changer Malware
Hackers can either attack the nameserver itself or end user devices. Tampering with an existing DNS server affects more people, but due to high levels of security that typically guard nameservers, is more difficult to pull off.
Instead, hackers often set up their own malicious DNS nameservers rather than breaching an existing one. They then use any number of methods to distribute DNS changer malware to end user devices—computers and smartphones—and wifi routers. DNS changer malware covertly alters a device’s internet settings to point DNS requests to a malicious nameserver. They can then redirect victims who request legitimate websites to phishing and malware-infected sites.
Besides end user devices, hackers may target wifi routers with DNS changer malware. A router can override the DNS settings specified in a computer or smartphone. This is particularly a threat when connected to open and public wifi hotspots.
HOW DOES DNS SPOOFING IS CARRIED OUT:
DNS spoofing is an overarching term and can be carried out using various methods such as:
DNS Cache Poisoning
Compromising a DNS Server
Implementing a Man-In-The-Middle Attack
However, an attacker’s end goal is usually the same no matter which method they use. Either they want to steal information, reroute you to a website that benefits them, or spread malware. The most discussed method to perform DNS spoofing is using cache poisoning and MITM.
1. DNS Cache Poisoning
DNS servers cache the DNS translation for faster, more efficient browsing, attackers can take advantage of this to perform DNS spoofing. If an attacker is able to inject a forged DNS entry into the DNS server, all users will now be using that forged DNS entry until the cache expires.
Once the cache expires, the DNS entry will return to normal as the DNS server will go through the complete DNS lookup process again.
However, if the DNS server’s software still hasn’t been updated, then the attacker can replicate this error and continue funneling visitors to their website.
If the malicious website is very similar to the website it is trying to impersonate, some users may not even notice the difference.
Additionally, if the attacker is using DNS cache poisoning to compromise one company’s DNS records in order to have access to their emails for example, then this may also be difficult to detect
2. Man in the middle (MITM)
The interception of communications between users and a DNS server in order to route users to a different/malicious IP address.
DETECTION & PREVENTION AGAUNST DNS SPOOFING :
Detecting whether your DNS server has been tampered with or you’ve been infected with DNS changer malware can be difficult. Most of us don’t routinely check our DNS settings, and it may well be that only a few DNS entries have been poisoned. You might encounter more ads or involuntary redirection, but there may be no clear symptoms at all.
That said, here are a few precautions you can and should take to protect yourself from DNS spoofing:
1. Implement DNS Spoofing Detection Mechanisms
it’s important to implement DNS spoofing detection software. Products such as XArp help product against ARP cache poisoning by inspecting the data that comes through before transmitting it.
2. Use encrypted data transfer protocols
Using end-to-end encryption via SSL or TLS will help decrease the chance that a website its visitors are compromised by DNS spoofing. This type of encryption allows the users to verify whether the server’s digital certificate is valid and belongs to the website’s expected owner.
3. Always Check For HTTPS
If DNS spoofing has led you to a malicious website, it will likely look identical or nearly identical to the genuine site you intended to visit. The difference is that the imposter won’t have a valid SSL certificate for the domain, which means you won’t see “https” or a closed padlock in your browser’s URL bar. The padlock indicates that your connection to the site is encrypted and verifies the server owner is who it says it is.
Note that not all websites use HTTPS, so this is not a foolproof method. You can install the HTTPS Everywhere browser extension to force your browser to always load the HTTPS version of a website when available.
If you come across a site with HTTPS but it’s indicated in red or crossed out, then the SSL certificate is not valid and you should leave the site immediately.
4. Encrypted DNS
Due to the well-documented security weaknesses in DNS, a few vendors have stepped up to provide improved DNS security.
DNSCrypt is perhaps the most popular of these for end users. DNSCrypt is a lightweight app that encrypts DNS traffic between the user and an OpenDNS nameserver, much in the same way that SSL encrypts traffic to websites that use HTTPS. This prevents spying, man-in-the-middle attacks, and, of course, DNS spoofing. You will need to configure your device to use an OpenDNS nameserver, which is free.
A VPN, short for Virtual Private Network, is a service that encrypts all the internet traffic going to and from your device and routes it through an intermediary server in a location of the user’s choosing. Quality VPN services use their own private DNS servers, and all DNS requests are sent through the encrypted tunnel. This means DNS requests cannot be intercepted or altered, and you’ll be using a (hopefully) secure nameserver.
Note that not all VPNs are created equal. Some use public DNS servers like Google DNS, while others allow DNS requests to leak outside of the encrypted tunnel, which means the default nameserver is used. Be sure to research your VPN provider’s specifications regarding DNS servers and DNS leak protection before signing up.
Use up-to-date antivirus software and keep real-time protection enabled. This should stop malware payloads containing DNS changer malware from infecting your device and other devices, including routers, on the network.
WebRTC is a communications protocol used by browser-based Voice over Internet Protocol (VoIP) services like Skype for Chrome. Chances are you don’t need it, but it’s enabled by default in most browsers including Firefox and Chrome. In Chrome, you can disable WebRTC by installing the WebRTC Network Limiter extension.
In Firefox, enter about:config in the URL bar. Search for the media.peerconnection.enabled parameter and set it to false.
A good VPN will disable WebRTC for you. If you’re not sure whether WebRTC is enabled in your browser, you can run a test here.
For those operating nameservers, Domain Name System Security Extensions (DNSSEC) uses digitally signed DNS records to help determine data authenticity & provide sorely needed authentication.
This suite of specifications ensures trust between the end user and the DNS server. With DNSSEC properly implemented, the user knows responses come from the domain name owner and not from a corrupted DNS entry.
An example of a DNS service that fully supports DNSSEC is Google’s Public DNS
Unfortunately, we’ve yet to reach wide-scale deployment. Relatively few domains and nameservers employ DNSSEC, and there’s not much to be done on the end user’s side. DNSSEC also does not encrypt DNS records.