MITM Attack 2: Understanding DNS Spoofing

In the previous blog post, we walked over to the MITM attack with ARP poisoning. If you haven’t read the previous post yet, I suggest you read that before proceeding with this article.

If you are interested to learn about DNS servers, DNS spoofing attacks, this article for you. Before jump into DNS Spoofing, let me explain the DNS server. Because if you don’t know about the purpose of the DNS server, you won’t understand the DNS spoofing.

What is DNS Server

DNS stands for Domain Name System. It is like a telephone number book for the whole internet. You don’t remember each phone number on the book, do you? Because it’s easy to remember people’s names rather than a set of numbers.

If DNS servers do not exist, you have to remember every IP address of websites that you want to reach. Sounds weird, right?

Actually, the DNS server’s responsibility is to find the IP address for a particular domain name. For example, let’s say you want to browse google.com. The DNS server will find the IP address of that domain. It’s user-friendly, right?

There are for types of DNS servers. Let’s take a library as an example to understand these four types.

1. Recursive resolver — It is a navigator that passes the request to root nameservers. It is like a librarian. If you asked to find a particular book, he will navigate you to a particular session in the library.
2. Root nameserver — It is the first step in converting human-readable hostnames into IP addresses. It is like an index in a library that points to different racks of books
3. Top Level Domain server (TLD) — This is directing the domain name by this last portion of a hostname. If the URL is www.example.com, the TLD server is ‘com’. As our example, the library has divided into few different sections like mathematics, physicals, Computer science, etc.
4. Authoritative nameserver — t is the last step in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor. As our previous example, when you find the book, you go back to the libraries and check it out.

Let’s take a look at the picture to understand the resolver and the root nameserver.

As you understand, this process is a little complex. Therefore, the computer operating system maintains a temporary database called DNS cache. It contains records of all the recently visited websites with their IP address. If you try to visit the same site again, this cache memory will be helpful. This cache will be expired when the time is up (time out).

For example, you visited youtube yesterday. If you want to visit youtube now, it doesn't require that whole process. Because the IP address of the youtube domain is already on the DNS cache area.

If you are a windows user, you can check out what’s stored in the DNS cache.

ipconfig /displaydns

My DNS cache at the moment

Also, the user can clear the DNS cache by using this command.

ipconfig/flushdns

DNS Poisoning Attack

As I explained before, this is one kind of man-in-the-middle attack. Actually, this is a little difficult. Because the attacker needs to build a fake website that exactly similar to the original one. Let’s see the procedure that may be followed by the attacker.

First, he needs to create a clone website for a particular website. This site can be a popular one like Facebook, Youtube, Google, etc. For example, assume he created a clone site for Facebook.

Next, he needs to insert fake information into the domain name server. This can happen. Because DNS responses have no authentication mechanism.

Now a new user tries to go to the particular website, he will be redirected to the fake website that makes by the hacker.

DNS spoofing

If the user doesn't recognize this site as a fake, he may create a new account or he logged into his old account. As a result, the hacker takes user credentials and sensitive information. It may consist of his credit card details, bank details, etc.

Furthermore, the site may include some links. If the user clicks it, some viruses, trojans, malware can be installed on the user’s machine. Nowadays, there are tons of viruses. Some are encrypted all information on the computer. Sounds scary, right?

How to prevent DNS Poisoning

As website users, our contribution is very low. Website owners and server providers must certify the protection of themselves and their users. Also, the website owner gets higher lost in most situations. Therefore, they have a responsibility to maintain a secure environment.

Prevention methods from the website owner’s side,

• Use of DNS spoofing detection tools
• Use DNS security extensions (DNSSEC)
• Use encrypted data transfer protocols

Prevention methods from website user’s side,

• Using SSL certified websites
• Regularly, scanning the computer to protect from malware.
• Whenever you feel that you visited a fake website, flush the DNS server cache.
• Using VPN

It comes to the end of the blog. I hope you understand the DNS spoofing. If I miss some points, let me know in the comment section. Keep in touch.

Reference

What is DNS and how does it work?

DNS Spoofing: definition and types | Myra Security

What Is a Domain Name System (DNS) & How It Works? | PhoenixNAP KB

https://www.cloudflare.com/learning/dns/dns-cache-poisoning