If Hollywood movies teach us anything, it’s that hackers are smart and have various tricks to evade our security. In the real world, a security problem often boils down to an opportunity rather than a developed skill. A “DNS poisoning” attack fits this description, and in fact, you should have the skills to prevent your domain from being spoofed.
The concept is simple: visitors see what your website looks like, but is fraudulent and harmful, while this fake website looks similar. As such, you must employ various techniques to ensure that users are safe and your site remains attack-free.
In this post, we are going to delve into the concept of DNS poisoning and domain spoofing. We’re also going to talk about some of the surrounding concepts to help you understand why your final answer is the best approach to understanding what DNS poisoning is and preventing it.
Introduction to Domain Name System (DNS)
Before we get into the details of DNS poisoning, let’s talk about the domain name system. Although browsing a website seems like a simple task, there is a lot going on under the hood of the server.
There are many elements involved to get you from “A” to “B”:
- IP Address. This is a string of numbers that is your actual web address. Consider them the coordinates of your house. For example, 127.0.0.1:8080 is a standard “localhost” address (that is, your computer).
- Domain name. If the IP address represents coordinates, the domain name is your address as it appears on the envelope. Of course, “Phluit.com” is one of millions of examples.
- A DNS request. It’s a great example of a high-level frontend task with a process low level complex. For now, consider a request to be your browser asking a dedicated server what the address is for a set of coordinates.
- A DNS server. This is different from your server. website that is four servers in one. Its job is to process DNS requests. We’ll talk about this in more detail in later sections.
- Recursive server. You’ll also see these servers called “name server resolution”. It is part of the DNS lookup process and is responsible for querying servers for the domain name relative to an IP address.
In general, a DNS simplifies obtaining a domain name for the end user. It’s a fundamental part of the Web, and as such has many moving parts.
We’ll look at the actual lookup process below, though you can already see how DNS has a vital job to do.
The process of a DNS lookup
Bear with us here as we offer what seems like an abstract analogy.
Activities that take people to remote places, such as mountain climbing or sailing, share a specific danger: getting lost and not being found in time. The traditional way of locating stranded people has been to use coordinates. They are explicit and offer pinpoint accuracy.
However, this process has drawbacks. First, you need to know how to calculate your coordinates for any location, which is tricky if you’re in a remote part of the world. Second, you must articulate those coordinates to the rescue team. One wrong number and the consequences are dire.
The what3words app takes the complex process of calculating and transmitting coordinates and turns it into a three-word summary of your general location. For example, take Automattic headquarters:
The coordinates of the location are 37.744159, -122.421555. However, unless you’re an expert browser, you probably don’t know this. Even if he did, putting this in the hands of someone who can help him is a slim proposition.
In a nutshell, what3words takes an abstract set of coordinates and translates them into three memorable words. For Automattic offices, it’s decent.Transfers.sleeps:
This puts complex global positioning in the hands of almost anyone with access to the application. It has already saved many civilian lives.
This is related to a DNS lookup because the process is similar. In the case of what3words, the rescuer asks the app for the coordinates of a string of words. The request is sent through the servers to look up the coordinates and return to the end user when found.
A DNS lookup has a similar flow:
- Your browser requests the IP address for a domain name.
- Your operating system (OS) asks the recursive server to find the domain name and starts a run through your collection of servers.
- When it finds the domain name, it is returned to the browser.
One of the drawbacks of what3words is that a string of words is not as precise as a set of coordinates. This means you can quickly pinpoint a general location, but may spend more time looking for the stranded person.
A DNS lookup also has drawbacks and can be exploited by malicious attackers. However, before we look at this, let’s take a short detour to talk about caching and how it can speed up a search.
DNS caching
Like web caching, DNS caching can help you remember regular queries to the server. This will make the process of obtaining an IP address faster for each new visit.
In short, the cache is inside the DNS server system and cuts off the additional trip to the recursive server. This means that a browser can obtain an IP address directly from the DNS server and complete the GET request in a faster time.
You will find DNS caches all over your system. For example, your computer will have a DNS cache, as will your router and Internet Service Provider (ISP). Often you don’t realize how much your browsing experience relies on DNS caching, until you fall victim to DNS poisoning.
What is DNS poisoning
Now that you understand the concept of DNS lookup and the whole process of obtaining an IP address, we can see how you can take advantage of it.
You’ll also often see DNS poisoning as “spoofing” because having a fraudulent “similar” website in the chain is part of the attack.
We are going to talk in more detail about all these aspects, but know that DNS poisoning or spoofing is a harmful attack that can cause mental, monetary and resource-related problems for users and the Internet.
First though, let’s get into the cache poisoning process.
How DNS spoofing and cache poisoning works
Because the entire phishing process is complex, attackers have come up with many different ways to achieve their goal:
- Machine in the middle. This is where an attacker gets between the browser and the DNS server, poisons both, and redirects the user to a fraudulent site on their own server.
- Server hijack. If an attacker breaks into the DNS server, they can reconfigure it to send all requests to their own site.
- Spam poisoning. Unlike a server hijack, this approach poisons the client side (ie the browser). Access is often granted through spammy links, emails, and scam ads.
- “Birthday Attacks”. This is a complex cryptographic attack that requires further explanation. detailed.
A birthday attack is based on the “birthday problem”. This is a probability scenario that says (in a nutshell) if there are 23 people in a room, there is a 50% chance that two will share the same birthday. If there are more people in the room, the chances increase.
This results in DNS poisoning based on the identifier that connects the DNS lookup request to the GET response. If the attacker sends a certain number of random requests and responses, there is a high probability that a match will result in a successful poisoning attempt. At around 450 requests, the probability is about 75%, and at 700 requests, an attacker will almost certainly break the server.
In summary, DNS server attacks occur in most cases because this gives a malicious user more flexibility to manipulate your site and user data. There is also no verification for DNS data because the requests and responses do not use Transmission Control Protocol (TCP).
The weak link in the chain is the DNS cache because it acts as a repository for DNS entries. If an attacker can inject spoofed entries into the cache, all users accessing the cache will find themselves on a rogue site until the cache expires.
Attackers will often look for a few signals, weak spots, and data points to target. They work to detect DNS queries that haven’t been cached yet because the recursive server will have to perform the query at some point. By extension, an attacker will also look up the nameserver that a query will go to. Once they have it, the port the resolver uses and the request id number are vital.
While it’s not necessary to meet all of these requirements (after all, an attacker can access servers through numerous methods), checking these boxes makes your job easier.
Real world examples of DNS poisoning
There have been some high profile examples over the years of DNS poisoning. In some cases, it is an intentional act. For example, China operates a large-scale firewall (the so-called “Great Firewall of China”) to control the information that Internet users receive.
Simply put, they poison their own servers by redirecting visitors to non-state sanctioned sites like Twitter and Facebook. In one case, Chinese restrictions even made their way into the ecosystem of the Western world.
A network error from a Swedish ISP provided root DNS information from Chinese servers. This meant that users in Chile and the US were redirected elsewhere when accessing some social networking sites.
In another example, Bangladeshi hackers protesting mistreatment in Malaysia poisoned many domains related to Microsoft, Google, YouTube, and other high-profile sites. This appears to have been a case of server hijacking rather than a client side issue or spam.
Even WikiLeaks is not immune to DNS poisoning attacks. A possible server hijack a few years ago caused website visitors to be redirected to a page dedicated to hackers.
DNS poisoning doesn’t have to be a complicated process. So-called “ethical hackers,” that is, those who seek to expose security flaws rather than inflict damage, have simple methods for testing phishing on their own computers.
However, aside from being redirected, there may not appear to be any long-term effect of DNS poisoning on the surface. In fact, there are, and we’ll talk about them next.
Why DNS poisoning and spoofing are so harmful
There are three primary goals of an attacker hoping to perform DNS poisoning on a server:
- To spread malware.
- Redirect you to another website that will benefit them in some way.
- Steal information, either from you or from another entity.
Of course, understanding why DNS poisoning or spoofing is a problem for ISPs, server operators, and end users is not a leap of the imagination.
As we pointed out, spoofing is a huge problem for ISPs, so much so that there are tools like CAIDA Spoofer available to help.
A few years ago, statistics showed that there were around 30,000 attacks per day. It is almost certain that this number will have increased since the report was published. Furthermore, as was the case with the example in the previous section, delivering spoofed sites over a network brings user trust issues to the fore, along with privacy issues.
Regardless of who you are, there are some risks involved when you are a victim of poisoning and phishing:
- As with the Great Firewall of China, it could be subject to censorship. This means that the information you obtain will not be accurate, which has a ripple effect in many social and political arenas.
- Data theft is a major concern and a lucrative venture for those who wish to obtain users’ banking information and other sensitive data.
- You might be susceptible to malware and other Trojan viruses on your system. For example, an attacker could inject a keylogger or other forms of spyware into your system through a spoofed site.
There are also other effects related to DNS poisoning. For example, you may not be able to apply any security updates to your system while the recovery process is in full swing. This leaves your computer vulnerable for longer.
Also, consider the cost and complexity of this cleanup process, as it will affect everyone along the chain. Higher prices for all connected services is just one of the negatives.
The effort to eliminate DNS poisoning is immense. Since phishing affects both client-side and server-side configurations, removing it from one doesn’t mean it’s gone from all.
How to prevent DNS poisoning
There are two areas affected by DNS poisoning: the client side and the server side. Let’s take a look at what you can do to prevent this damaging attack on both sides of the coin.
Let’s start with what the Internet as a whole is doing on the server side.
How the Internet tries to prevent server-side DNS poisoning and spoofing
Although we’ve talked a lot about DNS throughout this article, we haven’t realized how outdated the technology is. In short, DNS is not the best option for a modern web browsing experience due to a few factors. It’s not encrypted to begin with, and without some vital validation considerations, that would prevent many DNS poisoning attacks from continuing.
A quick way to prevent attacks from getting stronger is with a simple logging strategy. This performs a simple comparison between the request and the response to see if they match.
However, the long-term answer (according to experts) is to use Domain Name System Security Extensions (DNSSEC). This is a technology designed to combat DNS poisoning and, in simple terms, it sets different levels of verification.
Digging deeper, DNSSEC uses “public key cryptography” as verification. This is a way of approving the data as genuine and trustworthy. It is stored along with your other DNS information, and is used by the recursive server to verify that none of the information it receives has been tampered with.
Compared to other Internet protocols and technologies, DNSSEC is relatively a baby, but it is mature enough to be implemented at the root level of the Internet, although it is not yet widespread. Google Public DNS is a service that fully supports DNSSEC, and more are appearing all the time.
Even so, there are still some drawbacks with DNSSEC that are worth pointing out:
- The protocol does not encode responses. This means that attackers can still “eavesdrop” on the traffic, although attacks will have to be more sophisticated to bypass DNSSEC.
- Because DNSSEC uses additional records to collect DNS data, there is another vulnerability called “zone enumeration”. This uses one record to “walk” and collect all the DNS records within a specific “zone”. Some versions of this registry encrypt the data, but others do not yet.
- DNSSEC is a complex protocol and since it is also new, it can sometimes be misconfigured. Of course, this can erode the benefits of using it and present more problems in the future.
Still, DNSSEC is the future on the server side, at least. As for you, as the end user, there are also some preventive measures you can take.
How you can prevent client-side DNS poisoning
There are more ways to prevent client-side DNS poisoning, though none alone will be as robust as expertly implemented server-side DNSSEC. Still, there are a few simple boxes you can check as a site owner:
- Use end-to-end encryption for all requests and responses. Secure Sockets Layers (SSL) certificates do a good job here.
- Use phishing detection tools like Xarp. These scan received data packets before sending them. This mitigates any malicious data transfers.
- Increasing the time-to-live (TTL) values for your DNS cache will help weed out malicious entries before they can reach end users.
- You must have a good DNS, DHCP and IPAM (DDI) strategy. It consists of your DNS strategy, dynamic host configuration protocol, and IP address management. It is a complex but necessary process handled by system administrators and server security experts.
As an end user, there are a few more things you can do to help prevent poisoning and phishing:
- Use a virtual private network (VPN), as your data will be encrypted end-to-end. You will also be able to use private DNS servers, again with end-to-end encryption.
- Take simple precautions, such as not clicking on unrecognized links and performing regular security scans.
- Flushing your DNS cache regularly also clears malicious data from your system. It’s something that takes a few seconds and is easy to do.
While you can’t eliminate DNS poisoning entirely, you can prevent the worst from happening. As the end user, you don’t have much control over how the server handles attacks. Similarly, system administrators cannot control what happens in the browser. As such, it is a team effort to prevent this most damaging attack from affecting the entire chain.
Summary
Internet attacks are common. DNS poisoning (or spoofing) is a common attack that can affect millions of users if left unchecked. This is because the DNS protocol is old and not suitable for modern web browsing, although there are newer technologies on the horizon.
In short, DNS poisoning redirects an end user to a fraudulent version of an existing website. It is a way to steal data and infect systems with malicious software. There is no foolproof way to completely prevent it, but you can contain it through a few simple measures.
Have you ever been a victim of DNS poisoning or spoofing, and if so, what caused it? Share your experience with us in the comments section below!
