MITM Attack 2: Understanding DNS Spoofing

In the previous blog post, we walked over to the MITM attack with ARP poisoning. If you haven’t read the previous post yet, I suggest you read that before proceeding with this article.

If you are interested to learn about DNS servers, DNS spoofing attacks, this article for you. Before jump into DNS Spoofing, let me explain the DNS server. Because if you don’t know about the purpose of the DNS server, you won’t understand the DNS spoofing.

What is DNS Server

DNS stands for Domain Name System. It is like a telephone number book for the whole internet. You don’t remember each phone number on the book, do you? Because it’s easy to remember people’s names rather than a set of numbers.

If DNS servers do not exist, you have to remember every IP address of websites that you want to reach. Sounds weird, right?

Actually, the DNS server’s responsibility is to find the IP address for a particular domain name. For example, let’s say you want to browse google.com. The DNS server will find the IP address of that domain. It’s user-friendly, right?

There are for types of DNS servers. Let’s take a library as an example to understand these four types.

Let’s take a look at the picture to understand the resolver and the root nameserver.

As you understand, this process is a little complex. Therefore, the computer operating system maintains a temporary database called DNS cache. It contains records of all the recently visited websites with their IP address. If you try to visit the same site again, this cache memory will be helpful. This cache will be expired when the time is up (time out).

For example, you visited youtube yesterday. If you want to visit youtube now, it doesn't require that whole process. Because the IP address of the youtube domain is already on the DNS cache area.

If you are a windows user, you can check out what’s stored in the DNS cache.

ipconfig /displaydns
My DNS cache at the moment

Also, the user can clear the DNS cache by using this command.

ipconfig/flushdns

DNS Poisoning Attack

As I explained before, this is one kind of man-in-the-middle attack. Actually, this is a little difficult. Because the attacker needs to build a fake website that exactly similar to the original one. Let’s see the procedure that may be followed by the attacker.

First, he needs to create a clone website for a particular website. This site can be a popular one like Facebook, Youtube, Google, etc. For example, assume he created a clone site for Facebook.

Next, he needs to insert fake information into the domain name server. This can happen. Because DNS responses have no authentication mechanism.

Now a new user tries to go to the particular website, he will be redirected to the fake website that makes by the hacker.

DNS spoofing

If the user doesn't recognize this site as a fake, he may create a new account or he logged into his old account. As a result, the hacker takes user credentials and sensitive information. It may consist of his credit card details, bank details, etc.

Furthermore, the site may include some links. If the user clicks it, some viruses, trojans, malware can be installed on the user’s machine. Nowadays, there are tons of viruses. Some are encrypted all information on the computer. Sounds scary, right?

How to prevent DNS Poisoning

As website users, our contribution is very low. Website owners and server providers must certify the protection of themselves and their users. Also, the website owner gets higher lost in most situations. Therefore, they have a responsibility to maintain a secure environment.

Prevention methods from the website owner’s side,

Prevention methods from website user’s side,

It comes to the end of the blog. I hope you understand the DNS spoofing. If I miss some points, let me know in the comment section. Keep in touch.

BSc. (Hons) in Engineering, Associate Software Engineer at Virtusa