Difference between revisions of "DNS spoofing"

From CNM Wiki
Jump to: navigation, search
Line 1: Line 1:
 
Any [[DNS spoofing]] (alternatively known as [[DNS cache poisoning]], [[DNS tampering]], [[DNS hijacking]], or [[DNS redirection]]; hereinafter, the ''Spoofing'') is the attack against the [[DNS protocol]] that aims to alternate [[IP address]]es cached by [[DNS resolver]]s for a [[DNS record]] of the attacker choice.
 
Any [[DNS spoofing]] (alternatively known as [[DNS cache poisoning]], [[DNS tampering]], [[DNS hijacking]], or [[DNS redirection]]; hereinafter, the ''Spoofing'') is the attack against the [[DNS protocol]] that aims to alternate [[IP address]]es cached by [[DNS resolver]]s for a [[DNS record]] of the attacker choice.
 
  
 
==Mechanism==
 
==Mechanism==
 
In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for [[Internet service provider]]s ([[Internet service provider|ISP]]), they usually configure their [[nameserver]]s to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the [[Internet service provider|ISP]] and not require the series of lookups normally required.
 
In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for [[Internet service provider]]s ([[Internet service provider|ISP]]), they usually configure their [[nameserver]]s to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the [[Internet service provider|ISP]] and not require the series of lookups normally required.
  
This mechanism, however, is the target for the [[DNS spoofing|DNS cache poisoning]] attack. In this attack, the hacker aims to have their [[IP address]] cached by the [[DNS resolver]]s for a [[DNS record]] of their choice.
+
This mechanism, however, is the target for the [[DNS spoofing]] attacks. In these attacks, the attacker aims legitimate [[DNS resolver]]s to have an attacker's IP address cached as a false [[DNS record]]. For instance, this false record can be an [[A record]] or [[NS record]].
  
For example, the attacker would seek to have the [[IP address]] of the [[hostname]] "login.example.com" be cached with their own IP address instead of the legitimate IP address. The result of this attack is that anyone using that [[DNS resolver]] (typically most of that ISP's customers) would be loading the site "login.example.com" from the hacker's server rather than the legitimate server. Once this is achieved, the hacker could potentially display a fake login page and harvest users' logins and passwords.
+
For example, the attacker would send a fake resolutions to legitimate DNS resolver and seek the attacker's IP address to be cached instead of or in addition to the legitimate IP address. The attacker then could display a fake login page and harvest users' logins and passwords. In the ''Man-In-The-Middle Attack'', the attacker would use the harvested logins and passwords to access the legitimate IP address, so the victim would have regular experience working with familiar resource without knowledge that the attacker is between the victim and the legitimate resource.
  
 
==Prevention==
 
==Prevention==
[[DNSSEC]] and [[SSL certificate]]s are two most common tools used to prevent [[DNS spoofing]].
+
[[DNSSEC]], [[SSL certificate]]s and [[digital signature]]s are most common tools used to prevent [[DNS spoofing]].

Revision as of 13:56, 6 March 2019

Any DNS spoofing (alternatively known as DNS cache poisoning, DNS tampering, DNS hijacking, or DNS redirection; hereinafter, the Spoofing) is the attack against the DNS protocol that aims to alternate IP addresses cached by DNS resolvers for a DNS record of the attacker choice.

Mechanism

In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for Internet service providers (ISP), they usually configure their nameservers to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the ISP and not require the series of lookups normally required.

This mechanism, however, is the target for the DNS spoofing attacks. In these attacks, the attacker aims legitimate DNS resolvers to have an attacker's IP address cached as a false DNS record. For instance, this false record can be an A record or NS record.

For example, the attacker would send a fake resolutions to legitimate DNS resolver and seek the attacker's IP address to be cached instead of or in addition to the legitimate IP address. The attacker then could display a fake login page and harvest users' logins and passwords. In the Man-In-The-Middle Attack, the attacker would use the harvested logins and passwords to access the legitimate IP address, so the victim would have regular experience working with familiar resource without knowledge that the attacker is between the victim and the legitimate resource.

Prevention

DNSSEC, SSL certificates and digital signatures are most common tools used to prevent DNS spoofing.