What is DNS Poisoning and How to Protect Your Enterprise Against it
How does a DNS Poisoning Attack Work? Prevent and Mitigate DNS-delivered Cyberattacks
Modern enterprise cybersecurity has evolved – that’s a true statement. If we were to travel back in time – say, 10 or 20 years – ago, we would have discovered, much to our stupefaction, that cybersecurity was nothing more than an auxiliary attribution, bestowed upon the (un)fortunate soul who had the (dubious privilege) of fulfilling the IT admin role. If memory serves me right, in the early 2000s, there were only a handful of companies that invested in cyber-protection.
As for the rest, my best (educated) guess would be that they were either complacent, willing to go along with any generic cybersecurity countermeasure (ex. Windows’ antiviral suite, freeware, etc.). There’s also the pecuniary aspect of this predicament – elaborate online (and offline) security countermeasures would have entailed ‘unjustifiable’ costs. Hence, decision-makers either nixed the entire initiative, embracing que sera, sera attitude, or used whatever solution they had at hand.
DNS poisoning ascending
Times have changed, but not for the better. As a company owner or at least someone who has, on occasions, rubbed shoulders with IT/cybersecurity, you must have heard rumors of second-generation malware, malicious campaigns aimed at big corps, public institutions, and government-owned companies. Those ‘rumors’ are, unfortunately, part of the status quo. Dismissing them is equal to signing the death sentence for your company.
At Heimdal™ Security, we have done extensive research on the emergent malicious strains, to devise actionable prevention and mitigation strategies for SMBs, corp C-level execs, and IT managers looking to up their threat- hunting game. Since we’re on the topic of second-gen malware, today’s article will be dedicated to DNS poisoning, a misconfiguration cyber-attack that seems to have resurfaced and wreaked havoc wherever it goes.
In fact, according to IDC’s annual Global DNS Threat Report, in 2020, circa 80% of (interviewed), SMBs and corporations have experienced DNS-delivered attacks. To make matters worse, the companies in question have lost close to $1 million trying to undo the damage.
The same report also mentions that the average attack frequency was 9.5 per company, Northern America being the number one target on the (hackers’) hitlist.
Hoping that the reader has forgiven the author for the long and tedious introduction, here’s everything he or she will need to know about DNS cache poisoning (URL poisoning).
What is DNS poisoning?
As I’ve mentioned in the intro, DNS poisoning is a misconfiguration attack whose purpose is to divert traffic away from a legitimate website and/or server. In doing so, a malicious actor can redirect the user to a cloned website.
It may sound rather simplistic, but nothing could be further from the truth – DNS-delivered attacks, such as poisoning and spoofing (I’ll get to that in a moment), are the result of a masterfully-crafted plan. Before launching the attacks, the hacker needs to gather as much info as possible on the potential target to maximize the chances of success (no-brainer!).
Now, before I will go into more detail, I believe it’s essential to have a quick (and painless) recap on how things work. In other words: “Marty, we need to go back to…” the basics.
Back to the Basics (Again)
First of all, what’s a DNS? My all-time favorite analogy is the phone book.
The DNS, which is short for Domain Name System is a long-winded digital ‘phone book’ that contains the names and IP addresses of all your favorite websites and more – meaning every website in existence. Why do you need this very special phone book to look up cat videos or cringe memes? Because we don’t speak the same language as computers.
Sure, if you tell someone: “take a picture of your cat”, that person will do exactly what you asked for, without you having to lay down instructions – that’s the beauty of language and linguistics. In the case of computers, you’ll need to use a different type of language – math. Well, not the meme kind one, but one with lots of ones and zeros.
So, if it’s all 1s and 0s, how do you, in Computer, that you want to open youtube.com or 9gag.com? This is where the DNS comes into play –being like a phone book, allows you to quickly lookup your favorite websites.
How? By matching the name of websites with its binary representation. So, every time you look up, say google.com, your machine will send out the request to the Guardian of the Great Internet Phone Book (also known as a DNS server).
Forgot to mention that this insomniac guardian is also a great matchmaker in his spare time – whenever you send out a website connection request, the server looks up your description matches it with the website’s numerical representation and returns, the, well, website. Of course, all of these steps happen in the blink of an eye.
Just to get a hang of how fast this happens, look up a random keyword on Google and take a look at the results bar. Right next to it, is the average time it took the server to poll the results of your search.
For the sake of the argument, I’ve google-searched ‘funny cat GIFs. It took Google 0.51 seconds to display the results. I would say ‘heartbeat-fast’, but not our hearts don’t work that fast (well, technically, it can, but then you would need to see your doctor).
Anyway, that’s how computers know how to reach websites. Let’s spice things up a bit.
Remember when I said that your computer requires a DNS server to look up websites? The truth of the matter is that it needs more than one DNS server, for speed, volume, and storage purposes. Your ISP (Internet Service Providers) operates a DNS server.
Furthermore, to streamline the process, your computer runs its DNS cache. Home routers (and routers, in general) have some (DNS) serveresque capabilities. What we have here is a DNS server merry-go-round! In reality, the comm mechanism between the endpoint, DNS server, and the server that hosts the actual website is much more intricate.
So, skipping the hyper-techie part, we finally arrive at today’s topic which is DNS poisoning. Since we’ve already established that the DNS server bears a striking similarity to the phone book, this means that it can be considered a (very) big repository of numeric and human-readable addresses.
Just like any registry, if one entry somehow becomes compromised, the matching info will stop from making any sense. Imagine wanting to call John Doe and ending up chatting with the local funeral home because someone got hold of the phone book and doing the old switcharoo with the phone numbers.
DNS spoofing works – more or less – the same way.
In a DNS poisoning attack, the malicious actor would position himself (herself) between the client and the server handling the DNS query from the client. Indeed, DNS poisoning is, in essence, a MiM (Man-in-the-Middle) attack, but the purpose here is to trick the user (or rather his device) into accessing a malicious website.
DNS attack in motion
The first step in launching a DNS poisoning attack is recon – the DNS server’s MAC address, software versioning, known vulnerabilities, average requests handled per hour, any kind of DNSSEC (Domain Name System Security) employed, communication protocols), and encryption algorithms, etc.
Once recon’s complete, the malicious actor would go about gaining access to the DNS server. Bear in mind that the hacker doesn’t want complete and utter control over the server. That would be pointless. Instead, he will inject fake DNS entries to reroute connections.
This step achieves three goals: corrupt a ‘healthy’ DNS registry, dupe the client into connecting to a malicious server, and, last, but not least, ‘convince’ the DNS server that the entry for the malicious site is correct and legit. So why poisoning? Because, just like poison permeates every tissue and cell, so do spoofed DNS entries.
How does this ‘contagion’ spread? DNS servers don’t act of their own accord – they communicate with other DNS servers. A single server doesn’t know the numerical addresses of all websites.
But they can ask others for help. Imagine what happens when a ‘poisoned’ DNS server contacts another server to inquire about an address? The second one gets infected as well. And the process goes merrily on until the faulty entries are detected and purged.
As for the user, he’s going to find himself in a world of trouble. So, you send the query to the DNS server for, let’s say facebook.com. The server which, at some point, became ‘poisoned’, searches for the entry, and sends back the request. Keep in mind that the server is unaware that is records have been tampered with because it doesn’t employ any form of security.
Now, the user will be redirected to the address indicated by the DNS server. Only it’s not the real Facebook, but a cloned website that looks exactly like the real one.
From there, the hackers can perform various data exfil operations on the victim’s machine: data-stealing forms, malicious payloads embedded in auto-run Office macros, install spyware or traffic sniffers, launch DDoS, etc.
Increasingly, hackers target organizations at network or DNS traffic level.
YOU TO PREVENT, DETECT AND RESPOND TO NETWORK-BASED THREATS
- Full DNS protection and full network logging.
- Uses Machine Learning on device to infrastructure communication for a strong HIPS/HIDS and IOA/IOC add-on to your network.
- An easy way to add network threat prevention, detection and blocking.
How does a DNS Poisoning Attack Work?
Here’s a dns spoofing attack example.
Imagine we have three actors:
- The attacker – IP 220.127.116.11.
- The client – IP 18.104.22.168
- The website’s server – IP 22.214.171.124
There are tons of tools available for DNS poisoning, but arpspoof seems to be the most popular choice among black hat hackers. So, this is what happens during a DNS poisoning attack
Step 1. Using arpspoof, the attack will issue a request to the website’s server. The command will be arpspoof 126.96.36.199 188.8.131.52. What happens here is that the attacker roundhouse kicks the server’s ARP table (IP-MAC address matchmaking protocol), tricking the server into believing that the machine bearing that IP belongs to the client.
Step 2. The attacker launches a second arpspoof. This time he guns for the client. The second command will be arpspoof 184.108.40.206 220.127.116.11. The attacker lets the client know that his computer is the server.
Step 3. Using an IP forwarding command, the data packets sent between the client and the real server are redirected to the attacker’s computer.
Step 4. Upon issuing the IP forwarding command, a host file will be created on the attacker’s machine, effectively mapping the legit website to that local IP.
Step 5. The attacker will proceed to set up a fake web on that local IP. Of course, the website will resemble the real one to a T.
Step 6. The attacker may another tool to redirect all the DNS requests to his local host file.
Simple Antivirus protection is no longer enough.
Thor Premium Enterprise
to organizational defense.
- Next-gen Antivirus which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
How to protect your endpoints against DNS poisoning
Here are a couple of actionable tips that will help you prevent a corrupt dns cache and to cover all DNS attack vectors.
1. Deploy DNSSEC
DNS Security Extensions are widely used to protect the server’s register against outside tampering. This system employs complex cryptography, digitals signatures, and additional methods for DNS request authentication.
2. Look for the Secure Connection symbol
When opening a website, look for the padlock symbol next to the address bar. This indicates that your connection is secured. No padlock indicates that the website may have been cloned for malicious purposes.
Patching is not only important to endpoint; DNS servers need them as well. Ensure that the DNS server you’re using has been patched to the latest version.
4. DNS traffic-filtering
Advanced DNS traffic filtering has proven to be the best method to identify and combat DNS-delivered attacks. Consider deploying a cybersecurity suite that packs active DNS filtering.
Heimdal™ Security’s Thor Premium Enterprise comes with a proprietary, two-way traffic filtering engine that works at DNS, HTTP, and HTTPS levels. Our solution actively hunts from tampered Internet traffic and prevents such occurrences.
DNS poisoning affects the server’s DNS registry, actively redirecting the client to a spoofed address during a query. How does your organization protect itself against spoofing attempts?