What is DNS Spoofing?

by Bolster Research Labs on April 7, 2022

Domain Name Server (DNS) spoofing is a type of attack in which the DNS records are altered to redirect the online traffic to a spoofed website that resembles the original destination.

On landing the spoofed websites, adversaries can steal sensitive information such as credentials or credit card details depending upon the type of attack. Additionally, viruses, worms, and malwares can also be injected into the victim's machine.

Without understanding how the internet connects you to websites you might be deceived to think that a website is compromised. For a clear explanation understand what is DNS and how it works.

What is DNS?

A domain name system is used to translate the domain into the corresponding IP address. DNS or Domain Name Servers are a collective of four server types that compose the DNS lookup type. The four servers included are the resolving name server, root name server, top-level domain (TLD) name server, and authoritative name server. The resolving name server is designed to query the web server for the targeted IP address of a domain name, this lookup process resides inside the operating system.

How does a DNS Lookup Work?

Here’s how DNS lookup works:-

Sponsorships Available

Your web browser and the operating system try to recall the IP address attached to a particular Domain name, if the IP is previously visited then it can be retrieved from the computer’s internal storage or memory cache.
If neither of the components has the answer, the OS move queries forward to resolving the name server. This query starts searching through a chain of servers to find the answer.
Ultimately, the resolver finds the IP address and delivers it to the OS, which in turn passes it back to the web browser.

DNS Spoofing Attacks

Man-in-the-middle (MITM): With the interception of communication between users and the DNS server, an attacker can lead the users to a malicious IP address.
DNS Server Hijack: The attacker hijacks the DNS server, which is configured to return a malicious IP address.

How do attackers poison DNS cache

DNS cache poisoning is an attack in which false information is entered into the DNS cache so that DNS queries return an incorrect response and users are directed to the wrong websites. DNS cache poisoning is another term used for DNS Spoofing.

The following example will illustrate how DNS cache poisoning works. Suppose an attacker with IP address (192.168.1.100), intercepts a communication between a client IP (192.168.1.150), and a server of ‘www.example.com’ IP address (192.168.1.200).

An attacker poison the DNS cache by querying the IP of ‘example.com’ and then forging the reply with its IP (192.168.1.100). Now the entry for ‘www.example.com’ IP is changed from (192.168.1.200) to (192.168.1.100) in the DNS server.

If the client (192.168.1.150) tries to communicate with the ‘example.com’, the DNS server will reply with the poisoned entry that is the IP of the attacker (192.168.1.100). A fake website hosted on this address will pose as the original one and the user might be deceived to provide the sensitive information.

This attack is possible because the DNS server uses UDP instead of TCP. In TCP both the communication, parties require to perform the ‘handshake’ to initiate the connection whereas in UDP there is no integrity check of the source.

Threats from DNS Spoofing

Data theft – Attackers commonly target banking and e-commerce websites, as they are easily spoofed, meaning the personal information can be compromised.
Halt security update – If spoofed sites include service providers, then it can halt the essential security updates, leaving devices vulnerable to other threats.
Malware infection – With the spoofed redirection attacker the site can affect the visitor with the malwares and viruses.