DNS Poisoning
DNS poisoning is the act of intercepting DNS requests and sending spoofed responses. This can be done as most DNS requests are sent in plaintext, making it easy to intercept. These attacks are actually quite common as most routers use it censor adult websites on devices. In this article, we’ll go over ways to perform the attack and how to protect yourself from it.
Attacks
Method 1
Most routers come with a “block adult websites” function. These services usually use DNS poisoning and allow you to set which websites to block on the network. This is the simplest way to perform the attack and it has the added benefit of being persistent. But what if you don’t have access to the router’s admin panel?
Method 2
This method does not use the router’s admin panel. It only requires you to be connected to the same network as your victim. By arp spoofing your target, you can modify the DNS requests and responses as they are in plaintext. To do all of this you can use a tool like Bettercap.
Bettercap instructions:
set dns.spoof.domains [domains separated by commas here]
set dns.spoof.address [one IP address here]
dns.spoof on
arp.spoof on
These are just a few basic commands to spoof a few domains to one IP address. To set different domains to individual IP addresses use a hosts file and the command:
set dns.spoof.hosts [path to hosts file]
To reply to all DNS requests do:
set dns.spoof.all true
Protection
Method 1
By simply changing your DNS settings, you can easily prevent router based poisoning. This is because the router is acting as a DNS server, requiring the target to have its settings set to the routers IP address. However, attack method 2 will still be able to poison the target as it intercepts all requests and spoofs them.
Method 2
DNS over HTTPS (DoH) protects against poisoning by sending all DNS requests over a HTTPS encrypted tunnel. This prevents any interception or modification of the requests and responses, protecting from both attack methods.
Method 3
VPNs can also protect you from DNS attacks. VPNs reroute all traffic through an encrypted tunnel, including DNS requests. This prevents both attack methods from working but VPNs also come with some risks. To protect against attack method 1, the VPN needs to intercept the requests and reroute them to a different server. This means the VPN server can perform attack method 2, or see any other plaintext data you send.
This article is NOT sponsored by any VPN services.
DNS poisoning attacks are quite easy to prevent nowadays but many still fall victim to them as the protections are not enabled by default. Attackers can redirect targets to phishing websites, stealing passwords and other sensitive data. Thankfully HTTPS also provides protection from such attacks, meaning most people are safe from falling victim to it.
