Difference between revisions of "DNS spoofing"

From CNM Wiki
Jump to: navigation, search
(Created page with " DNS tampering DNS cache poisoning DNS hijacking DNS redirection")
 
Line 1: Line 1:
    DNS tampering
+
Any [[DNS spoofing]] (alternatively known as [[DNS cache poisoning]], [[DNS tampering]], [[DNS hijacking]], or [[DNS redirection]]; hereinafter, the ''Spoofing'') is the attack against the [[DNS protocol]] that aims to alternate [[IP address]]es cached by [[DNS resolver]]s for a [[DNS record]] of the attacker choice.
    DNS cache poisoning
+
 
    DNS hijacking
+
 
    DNS redirection
+
==Mechanism==
 +
In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for [[Internet service provider]]s ([[Internet service provider|ISP]]), they usually configure their [[nameserver]]s to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the [[Internet service provider|ISP]] and not require the series of lookups normally required.
 +
 
 +
This mechanism, however, is the target for the [[DNS spoofing|DNS cache poisoning]] attack. In this attack, the hacker aims to have their [[IP address]] cached by the [[DNS resolver]]s for a [[DNS record]] of their choice.
 +
 
 +
For example, the attacker would seek to have the [[IP address]] of the [[hostname]] "login.example.com" be cached with their own IP address instead of the legitimate IP address. The result of this attack is that anyone using that [[DNS resolver]] (typically most of that ISP's customers) would be loading the site "login.example.com" from the hacker's server rather than the legitimate server. Once this is achieved, the hacker could potentially display a fake login page and harvest users' logins and passwords.
 +
 
 +
==Prevention==
 +
[[DNSSEC]] and [[SSL certificate]]s are two most common tools used to prevent [[DNS spoofing]].

Revision as of 08:22, 6 March 2019

Any DNS spoofing (alternatively known as DNS cache poisoning, DNS tampering, DNS hijacking, or DNS redirection; hereinafter, the Spoofing) is the attack against the DNS protocol that aims to alternate IP addresses cached by DNS resolvers for a DNS record of the attacker choice.


Mechanism

In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for Internet service providers (ISP), they usually configure their nameservers to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the ISP and not require the series of lookups normally required.

This mechanism, however, is the target for the DNS cache poisoning attack. In this attack, the hacker aims to have their IP address cached by the DNS resolvers for a DNS record of their choice.

For example, the attacker would seek to have the IP address of the hostname "login.example.com" be cached with their own IP address instead of the legitimate IP address. The result of this attack is that anyone using that DNS resolver (typically most of that ISP's customers) would be loading the site "login.example.com" from the hacker's server rather than the legitimate server. Once this is achieved, the hacker could potentially display a fake login page and harvest users' logins and passwords.

Prevention

DNSSEC and SSL certificates are two most common tools used to prevent DNS spoofing.