DNS Vs DNS Spoofing
To understand DNS spoofing, we must have enough knowledge about DNS servers and how it works.
How Internet works? (Overview)
Each and every devices in the world which is connected to the internet will own a unique IP address. An IP address is a unique address that identifies a device on the internet or a local network. The term IP (Internet Protocol) refers to a collection of rules that regulate the format of data transmitted over the internet or a local network.
If you are currently connected to the internet, you too have a unique IP address. Enter the following command in the command prompt (CMD)to find your IP address on a Windows computer.
ipconfig
Same as us, servers which provide services to the clients also own their unique IP address.
As a result, for example when we try to access Facebook through the internet, our local machine sends our request to the IP address of Facebook and Facebook sends its response to our device’s IP address.
This is how two devices communicate each other over the internet or a local network.
Now following questions may arise in your mind,
- Is it required to memorize each server’s IP address in order to access it?
- We can access a website by simply enter its URL, even if we don’t know its IP address. how it is happening?
We must concentrate on Domain name, DNS, and DNS servers in order to address the above questions. So, let’s take a look at each,
Domain name
An IP address is represented by a Domain name which is a text string.
For Ex: www.facebook.com
Humans use domain names to remember, identify, and connect to particular website server, since IP addresses are difficult to remember.
For example, domain “www.facebook.com” is used to represent IP address of Facebook which is 69.63.176.13.
Domain name system (DNS)
DNS is used to translate a domain name into the particular IP address which represented by the Domain name.
Domain name system servers (DNS servers)
DNS servers are a set of four server types that work together to perform DNS lookups. The resolving name server, root name servers, top-level domain (TLD) name servers, and authoritative name servers are the servers included in the DNS server.
How DNS works?
The process of resolving a domain name is going through several stages. Let’s understand this by an example.
Assume you need access to www.abc.com. As a result, you will type www.abc.com into your browser’s URL bar and run a search.
Step 1
Before going externally, your computer checks its local DNS cache database to see if the IP for abc.com has already been requested.
What is DNS cache?
Every computer has a DNS cache that stores the most recent DNS requests. The IP address of the server that we visited recently will be stored here respective to its domain name. The records stored here are temporary, once the TTL (Time To Live) duration expires of a record, particular record will be deleted.
To view the records in your Local DNS Cache in the windows computer, enter the following command in CMD
ipconfig/displaydns
To delete entire records in Local DNS cache use the following command
ipconfig/flushdnsNow Let’s come back to our example,
When the DNS cache contains the IP address of abc.com, the browser gets the IP address from there and connects to abc.com directly by sending data to the server’s IP address.
If the IP address of abc.com is not found in the Local DNS cache, the browser sends a request to a Resolving name server asking for the IP address of the abc.com. The Resolving name server is typically provided by your ISP (Internet service provider)
Step 2
When the Resolving Name Server receives a request, it searches its records for the IP address requested. When the IP address is found in the cached records of the Resolving name server, the browser retrieves the IP address from there and connects to the website, and also browser saves the records in its DNS cache for future requests.
If IP address is not found, there are some steps to be done
Step 3
When Resolving Server doesn’t have the IP address, it sends the request to Root domain name server.
what is Root domain name server?
IP addresses are not mapped to domain names in Root servers. Rather, Root servers keep track of information about all top-level domain (TLD) nameservers and point to their locations.
According to our example, top level domain of “abc.com” is “.com”. Therefore, our root server returns the information of the TLD server which is responsible for “.com” domain, to Resolving Name Server.
When the Resolving Name Server finds the suitable TLD server, it sends a request to that TLD server.
what is TLD (Top Level Domain )server?
The information of second-level domains is stored on TLD servers. The TLD server will return the information of the appropriate Authoritative nameserver, which could contain the IP address of the website we are attempting to access.
As a result, in our example, the TLD server returns the information of the Authoritative nameserver which may have the IP address of abc.com
When the Resolving Name Server finds the suitable Authoritative nameserver, it sends a request to that Authoritative nameserver asking for the IP address of abc.com.
what is Authoritative Name Server?
Authoritative servers are the final destination of DNS lookup requests. They store IP addresses that correspond to the domain name. As a result, they return the IP address of the website which we are trying to access, to the Resolving Name Servers.
According to our example, if Authoritative Name Server finds the IP address of abc.com, it sends the IP address to Resolving Name Server. Then Resolving Name Server saves the IP address in its cache database and send that IP address to our local computer. Then Our computer also saves the IP address in its DNS cache and displays abc.com by connecting directly to the received IP address.
What is DNS Spoofing?
DNS spoofing is a form of cyber-attack that diverts online traffic to a fraudulent website. An attacker performs this by modifying DNS records. Attackers gain access to a DNS server or DNS cache and modify DNS Records by replacing the real IP address with the IP address of a fake website. As a result, when a user tries to access a website using its domain name, instead of landing in actual website, user will land on attacker’s fraudulent website.
DNS spoofing is very difficult to detect because attacker’s fake website will look exactly identical to the original website that the user trying to access.
Types of DNS Spoofing Attacks
DNS cache poisoning
DNS cache poisoning is a user-end method of DNS spoofing, in which your system logs the fraudulent IP address in your local memory cache. As a result, it will target only you and push you to land on the fraudulent site, even if the issue gets resolved or never existed on the server-end.
DNS server hijacking
In DNS server hijacking, The attacker directly modifies the DNS server’s records in order to redirect all requesting users to the malicious website. Once a fake DNS entry is injected onto the DNS server, Any IP request for the spoofed domain will land on the fraudulent website.
Impact of DNS Spoofing
- user’s confidential data may steal by attacker, Since user may provide their confidential data believing that the fake website as the real website.
- Another common threat associated with DNS spoofing is malware infection. It’s possible that the attack will redirect you to a site that will automatically start malicious downloads. Downloads are a quick and easy way to infect your computer. Finally, if you don’t use internet protection, you’re vulnerable to threats such as spyware, keyloggers, and worms.
How to Prevent DNS Spoofing
Prevention Tips for Website Owners and DNS Server Providers
- Using DNS spoofing detection tools: these tools will continuously scan all data received, before sending responses.
- Using Domain name system security extensions (DNSSEC): DNSSEC is a collection of protocols that adds an extra layer of protection to the domain name system (DNS) lookup and exchange processes, which makes DNS lookup authentic and spoof-free.
- Using End-to-end encryption: Since attackers cannot decrypt the data, they can’t alter it.
Prevention Tips for Users
- Flush your DNS cache (if you suspect you as a victim): Until you clean out the infected files, cache poisoning can remain in your device for a long-time. To flush your DNS cache in a windows computer use the following command in CMD
ipconfig/flushdns. - Use a virtual private network (VPN): VPN will provide you private DNS servers which use end-to-end encrypted requests. In other words, it can provide you spoof free DNS lookup
