All You Need to Know About DNS Spoofing to Keep Your Organization Safe
What is DNS spoofing and how can you prevent it?
This post is also available in: Danish
The DNS in and of itself has never been secure. Being created in the ‘1980s when the Internet was a complete novelty, security had not been a priority in its design. Throughout time, this has led malicious actors to take advantage of this issue and develop elaborate attack techniques that leverage the DNS, such as DNS spoofing.
What is DNS spoofing?
DNS spoofing is a cyber-attack in which fake data is introduced into the DNS resolver’s cache, which causes the name server to return an incorrect IP address. In other words, these types of attacks exploit vulnerabilities in domain name servers and redirect traffic towards illegitimate websites. But before diving into more info about DNS spoofing, let’s take a look at how the DNS works and try to understand more about DNS security.
DNS stands for Domain Name System. In short, it is a database that provides information about domain names. DNS is built upon a structure of hierarchy, with a single domain at the top called the root domain and with top-level domains below it that split the DNS into different segments. Figuratively speaking, DNS is commonly described as the phonebook of the Internet, as it translates domain names to IP addresses. Another metaphor used for DNS is oftentimes a tree:
DNS has a root, and the various Top-Level Domains (TLDs) are similar to branches that shoot off the root. Each branch has small branches, which are Second Level Domains, and the leaves are Fully Qualified Domain Names (FQDNs), sometimes referred to as hostnames. Do not get the idea that this tree is a peaceful Palm Tree or a strong Oak. This is a monstrosity of a tree, planted in cement with roots ensnarling each other and branches spread in every direction, that often feels like it is held together by force of will more than anything else. If DNS is a tree, it is more like the Banyan Tree, in Lahaina, Maui. – An extract from “DNS Security: Defending the Domain Name System” by Allan Liska & Geoffrey Stowe
Before I go into more detail, I will try to summarize how the DNS resolution process works.
Let’s say a user types a web address into the browser.
First, the operating system scans its cache for the IP. If it can’t find it, it asks the DNS resolver (which can be recursive and iterative – but let’s save this topic for a later time) to provide an answer.
What are DNS resolvers?
When a user tries to access a website, a request is sent to a DNS resolver by the operating system. The DNS resolver answers with the IP address, which is taken from the web server, and thus the website is loaded. In essence, DNS resolvers find IP addresses that are associated with domain names. Simply put, they translate website addresses like “heimdalsecurity.com” which can be easily read by people into numerical IP addresses, which would be almost impossible for us to learn by heart.
If the DNS resolver does not have the IP stored in its cache, it will ask the root server.
Today, there are only 13 root name servers in the world operated by 12 different organizations, which have been operating root servers since the DNS has been created. However, this does not mean there are only 13 physical locations that sustain the Internet. In fact, there are over 750 root server instances worldwide, distributed throughout each continent. They can be accessed using 13 IP addresses, one assigned to each entity (with the exception of Verisign, which runs two root servers). The majority of these addresses are allocated to various servers around the world, so DNS queries that are sent to these addresses get a timely response from the local servers.
The root server will know where to locate the TLD (Top-Level Domain Server).
The coordination of TLDs is a function of the Internet Corporation for Assigned Names and Numbers (ICANN). For instance, the .COM TLD was one of the first ones created in 1985 and has remained the largest TLD to date. Other types of TLDs may include country codes (.DK, .JP, .CA, etc.), generic TLDs (such as .EDU, .NET, ORG.), infrastructure TLDs (.ARPA – mostly used for the management of technical network infrastructure), plus many other new types of TLDs (like .SHOP, .TATTOO, .HEALTH, etc.). According to the Top-Level Domain Server list maintained by the IANA (Internet Assigned Numbers Authority), which is part of ICANN, there are currently over 1,500 existing TLDs.
So, how does the TLD server help out the resolver?
If the TLD doesn’t know the domain’s IP address, thanks to the Domain Registrar, it will manage to find the authoritative DNS servers (or Name Server) for the domain. Whenever someone purchases a domain, the domain registrar saves the name and sends over the authoritative name servers to the TLD registry. Authoritative DNS servers provide answers to recursive DNS queries. Normally, more than one name server is attached to a domain so that the workload is evenly managed, particularly in the event of a failure. Authoritative DNS servers are assigned to different areas. Regardless of the area they cover, they will always store a database of domain names and their corresponding IP addresses, as well as solve requests received from recursive DNS servers which are trying to find which IP address corresponds to which domain name. If you would like to find out what the authoritative name servers for your domain are, you can use one of the websites that provide this functionality. For instance, you may want to check out who.is.
Lastly, the Names Server will provide the resolver with the IP address.
The recursive DNS server sends this information back to the machine (and browser) that requested it, after obtaining the response. The machine will connect to the IP address and load the webpage.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
DNS vulnerabilities and attacks
Although the DNS has been designed as a highly complex and powerful system, its main purpose has always been functionality rather than security. But the constant development of cyber threats that explicitly leverage DNS vulnerabilities is showing no signs of a slowdown. What’s more, the current types of DNS attacks vary greatly and rely on the abuse of information exchange between clients and servers.
Common types of DNS attack vectors include:
- DNS tunneling – An attack that uses a client-server architecture to leverage the DNS protocol to tunnel malware and other content. The tunnel can also be used for data exfiltration or for other nefarious purposes.
- Zero-day attacks – A zero-day attack can be launched due to a DNS flaw or a vulnerability unknown to the DNS provider before malicious hackers take advantage of the weakness and exploit it.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) – In a DoS attack, a malicious bot sends a very high amount of traffic to an IP address until the target is no longer able to resolve legitimate requests. In a DDoS attack, cybercriminals use a botnet to produce a huge amount of resolution requests.
- Fast-flux DNS – To redirect DNS requests and avoid detection, the attacker swaps DNS records in and out with extreme frequency.
- DNS Spoofing (commonly also referred to as DNS poisoning) – An attack in which malicious actors exploit system flaws and push traffic away from genuine domains and towards bogus ones.
What is a DNS spoofing attack?
When a recursive resolver sends a request to an authoritative name server, the resolver has no means of checking the response’s validity. The best the resolver can do is check if the response seems to come from the same IP address where the resolver sent the query in the first place. But relying on the source IP address of response is never a good idea since the source IP address of a DNS response packet can be easily spoofed.
Security-wise, due to the faulty design of the DNS, a resolver can’t identify a fake response to one of its queries. This means cybercriminals could easily pose as the authoritative server that was originally queried by the resolver, spoofing a response that seems to come from that authoritative server. Basically, an attacker could redirect a user to a malicious site without the user noticing it. In a nutshell, DNS spoofing refers to all attacks that attempt to change the DNS records returned to the user and redirect him/her to a malicious website.
DNS spoofing vs DNS poisoning
With reference to DNS spoofing vs DNS poisoning, the two concepts don’t describe the same thing. In short, domain poisoning is one of the methods of practicing DNS spoofing. Basically, DNS spoofing refers to the general category of attacks that spoof DNS records. This is not a specific attack mechanism, but rather an ultimate objective of the attack. These types of attacks may include DNS hijacking, Man-in-the-middle attacks, and cache poisoning. DNS cache poisoning relies on the practice of changing the data in the DNS cache with a fake DNS response. These attacks can’t be detected by traditional cybersecurity tools, which don’t look at the DNS.
DNS injection is known as a censorship tool for blocking links to blacklisted domain names. The technique uses deep packet inspection on all network-passing DNS queries and injects spoofed replies. A DNS injection attack affects third-parties if their traffic is routed via a censored network. Since it leaked inadvertently into international networks, it has been shown that DNS injection was used in China. DNS injection could also be detected by sending DNS queries to the networks of Iran – the Iranian DNS filter was briefly suspended for certain names in mid-2013, which coincided with media reports of Iranian political discussions regarding social media blocking.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Although technically not DNS spoofing techniques, the tactics I will briefly discuss below sometimes trick people into accessing illegitimate domains and mostly rely on users’ negligence. With a sharp eye, these attacks can easily be prevented, so make sure you watch out for those as well.
A homograph attack (also known as homoglyph attack, script spoofing, or homograph domain name spoofing) is a cyberattack in which a malicious party leverages character script similarity to create and register fake domains that look almost identical to the genuine ones so that users don’t notice they are visiting a different website. For instance, the infamous PayPal scam that was first spotted almost 20 years ago is a very good example of a homograph attack. Deceptively named PayPai.com, the website was a convincing duplicate of the real one. It used a combination of uppercase and lowercase characters – in this case, uppercase “i” looked like lowercase “l”.
Typosquatting (also known as URL hijacking or brandjacking) is an attack technique facilitated by certain typos made by users. For example, when users type a domain name, misspell it, and fail to recognize the error, they may inadvertently end up on an incorrect website registered by typosquatters. Both typosquatting and homograph attacks are based on techniques that use similar-looking website names to trick users into visiting them. However, the main distinction is that in typosquatting the attackers fool victims by counting on normal typographical mistakes typically made when typing a URL, while in homograph spoofing, the perpetrator deceives the victims by registering a malicious website that may look identical to the original one.
For DNS spoofing prevention, we suggest you monitor any changes related to your DNS records and digital certificates. What’s more, you can also choose to deploy DNSSEC (Domain Name System Security Extensions), which will enhance the DNS authentication process through digital signatures using public-key cryptography. Last, but not least, use a DNS filtering solution like Heimdal™ Threat Prevention that hunts, prevents, detects, and blocks threats at the traffic level. As I’ve already indicated, traditional defenses don’t offer protection against DNS attacks. But thanks to its Machine Learning-driven DNS filtering system, HeimdalTM Security brings you full DNS protection and malware blocking. Contact us today at firstname.lastname@example.org if you’d like to learn more.