What is DNS spoofing?
Domain Name System (DNS) spoofing, also commonly referred to as DNS cache poisoning, is a cyberattack where DNS records or communication are intercepted and altered in order to route users to a different IP address.
In a spoofing attack, traffic from legitimate servers is rerouted to fraudulent sites that may look like the valid site the end-user was trying to get to. These attacks can happen seamlessly without giving any indication to the user of what is happening.
When the user arrives at the fake site, they may be prompted to enter their login credentials or reveal sensitive data like credit card data, bank account numbers and Social Security information.
Attackers can then use this information to steal money, data and identities, or to access corporate networks to launch other attacks.
Once a DNS record has been spoofed, the cyberattacker can install worms or viruses on a user’s computer, giving the attacker unfettered access to the data provided.
How does DNS spoofing work?
To fully understand how DNS spoofing works, it is helpful to have an understanding of how the internet routes users to websites.
Every server has its own unique thumbprint called an internet protocol (IP) address that is comprised of a series of numbers. Each IP address is mapped to a corresponding domain name (www.example.com) that properly routes users to the website.
To spoof a DNS, cyberattackers find and exploit weaknesses in this process to redirect traffic to an illegitimate IP address and fake website.
3 different methods of DNS cache poisoning
There are several types of DNS spoofing, but three of the most common ones are:
— Man-in-the-middle duping: The attacker gets between your browser and DNS server to infect both using a tool to synchronously poison your local device and DNS server. This results in a redirect to a malicious site hosted on the attacker’s local server.
— DNS cache poisoning by spam: URLs included in spam emails and banner ads on untrustworthy websites are compromised with a virus. When the user clicks on the URL, their computers are then infected with the virus located in the malicious URL. Once infected, the user's device will route to fake websites that look like the real thing.
— DNS server hijack: The cyberattacker reconfigures the server to direct any traffic to the spoofed domain.
The dangers of DNS spoofing
DNS attacks account for 91% of malware attacks, and one out of every 13 web requests leads to malware.
Risks include:
— Data theft
— Malware infection
— Censorship
— Halted security updates that may expose your device to additional threats.
Despite the dangers of DNS spoofing and other malicious activity, most organizations don't monitor their DNS activity at all. Yet the rise of DNS spoofing and other DNS-related attacks makes it clear organizations must deploy anti-spoofing solutions as well as monitoring technology that provides insight into what is happening at the DNS layer.
How web security works
When a user initiates a request to access the Internet by entering an address in the browser or clicking a link in an email or website, a DNS request is forwarded to the Mimecast web security service. As Mimecast inspects and resolves the DNS request, acceptable use policies established by the organization are applied to the request, blocking access to content that is deemed inappropriate for business use. At the same time, the target website is scanned for malicious content. If the site is determined to be safe, the user is granted immediate access. But if the site is deemed to be suspicious or malicious, Mimecast blocks access to the site and the user is notified via a message in the browser about the reason why.
Examples of DNS spoofing & DNS cache poisoning attacks
Cyberattackers are continually employing more sophisticated tactics to carry out DNS spoofing. Though no two attacks may be the same, a DNS spoofing scenario could look something like this:
1. The attacker intercepts communication between a client and a server computer belonging to the targeted website.
2. Using a tool such as arpspoof, the attacker can dupe both the client and the server to follow malicious IP addresses that routes to the attacker's server.
3. The attacker creates a fake website that the malicious IP address will route users to in an attempt to obtain sensitive information.
DNS Spoofing FAQs
What is DNS?
DNS refers to the Domain Name System (or Domain Name Server), which translates domain names that users can read into IP addresses that machines can read. Every device connected to the Internet has a unique IP address that enables other machines to find it. DNS eliminates the need for users to memorize long and complex IP addresses and to use simpler domain names instead.
How to detect DNS cache poisoning?
The best possible way to detect DNS cache poisoning is to use a data analytics solution to monitor DNS behavior. Things that can signal DNS poisoning:
- An increase in DNS activity from a source that queries your DNS server for multiple domain names without returns.
- An abnormal increase in DNS activity from a single source to a sole domain.
What are some best tips for website owners to prevent DNS spoofing attacks?
- Don’t click on unfamiliar links.
- Flush Your DNS Cache to purge any infected data.
- Use a Virtual Private Network (VPN) to channel all your web traffic through end-to-end encrypted servers.
- Check your URL address bar for misspellings to ensure you are being directed to the right site.
