In today’s internet and tech environment, cyber attacks are a constant and growing issue every company and website needs to be prepared for. Without the right precautions and support, attackers can cause real harm to your organization and website. One way attackers can cause that harm is with DNS spoofing or poisoning. To help you figure out how to prevent DNS spoofing, we’ll walk you through what it is, how it works, and what you can do about it.
What is DNS spoofing?
DNS spoofing is a cyber attack that manipulates DNS servers to deceive web browsers and redirect users to fraudulent websites instead of their intended destinations. In this attack, attackers mimic legitimate DNS server activity to send users to malicious websites designed to appear legitimate, but with the intent to steal confidential information. An additional variant of this attack is DNS cache poisoning, where the fraudulent IP address is stored in your computer's cache memory. Consequently, when you attempt to access the desired domain, your computer continues to retrieve the malicious website instead.
What is the DNS and DNS server?
To fully understand DNS spoofing, it’s important to understand DNS and DNS servers. To start, each computer and server has a unique Internet Protocol (IP) address that’s a number string ID that signals to websites what computer is using the site. These number string IDs are hard for people to remember, so instead, we use domain names to keep track of what website we’re on. The DNS “domain name system” is then what translates the domain name into the right IP address. The DNS servers—resolving name servers, root name servers, top-level domain (TLD) name servers, and authoritative name servers—are then what enables the translation or lookup process between domain name and IP address.
The DNS lookup process works like this:
- Your web browser attempts to find the IP address attached to the website you’re trying to use.
- Your operating system will first look in the computer’s memory cache. A website you’ve visited previously will likely have the IP address already stored on your computer.
- If your operating system doesn’t find the IP address on the computer, it will query the resolving name server—which is the first DNS server.
- The query passes through the DNS servers to find the matching IP address.
- The IP address is then sent back to the operating system, which sends it back to your web browser.
Methods for DNS spoofing
There are several ways for attackers to perform a DNS spoofing attack, but there are three that are the most common—and therefore the most important to prepare for.
A DNS hijacking is when an attacker uses the DNS servers themselves to send users to malicious websites. The attacker might take over routers, redirect communications, or even use malware on endpoints. Commonly, an attacker will reconfigure the DNS servers so that all user requests through the servers send to the fraudulent IP address.
A man-in-the-middle attack is where an attacker puts something in between a request for an IP address and the DNS servers. An attacker will intercept a DNS query before it can go through the real DNS servers and instead send back a fraudulent IP address to the computer. With the fraudulent IP address, the web browser then takes the user to the malicious website. Essentially, the DNS query interceptor is a man-in-the-middle that directs users to the wrong website.
The other two attacks could potentially lead to cache poisoning, but there’s an additional way attackers can put the wrong IP address in a computer’s cache memory. Email spam and ad spam can actually be used to embed the incorrect IP address into the computer’s memory. Attackers might send emails with links, and if a user clicks the link, the link will take them to a malicious website and poison their computer cache. Click ads can also be used in a similar way to set up a DNS spoofing cache poisoning attack.
How DNS spoofing works
Attackers can use any of the three methods on their own or in tandem to orchestrate a DNS spoofing cyber attack. Attackers will have different motives for their attacks, but most of them will follow a very similar pattern in how they orchestrate their attacks.
- Gathering information. Before an attacker launches an attack, they’re going to gather information about your website and organization. They’ll look at the DNS servers, figure out the average number of requests it handles, find domain security precautions, notice vulnerabilities, and ultimately determine if there’s any way they can find a hole to launch an attack.
- Gaining access. To launch a DNS spoofing attack, the attackers need to get access to the servers or other points of entry where they can release the corrupt DNS data or intercept queries. Usually an attacker isn’t trying to take control of the entire server but rather just find a small hole where they can access files and queries.
- Launching the attack. Once an attacker has access and knows what to expect, they’ll launch the DNS spoofing or poisoning attack.
The risks of DNS spoofing
Why do attackers use DNS spoofing? What are they trying to do? These are some of the common reasons attackers will want to use this kind of cyber threat—and what risks of DNS spoofing to be aware of:
- Malware infection. Sometimes attackers will send users to malicious websites that will install malware on their devices. Then when a user is led by DNS spoofing to the wrong site, their computer gets infected—which can lead to many more being infected by the malware.
- Data theft. Most cyber attackers are after users’ data that they can sell. A lot of DNS attacks will spoof a shopping site. When users are redirected to the malicious website, they may put in their personal information thinking they’re on the site they meant to access. The attackers can then sell that data.
- Censorship. DNS spoofing sends users to different websites than they intended to access, which means that if someone doesn’t want you to access a website, they can use DNS spoofing to keep you away. Some governments use DNS spoofing as a way to censor—like the Great Firewall in China. DNS spoofing can be large and expansive.
How to prevent DNS spoofing
With these risks from DNS spoofing in mind, it’s time to explore how to prevent DNS spoofing from happening in the first place. Like with all cyber security, there’s no perfect solution that can completely guarantee no attacker will breach your defense. But there are steps you can take to protect your users and drastically reduce the risk of a DNS spoofing or poisoning attack. Here are some ways to reduce the risk of DNS spoofing:
- DNS spoofing tools. There are tools designed specifically to help identify DNS spoofing attacks. Using these tools can give you the reassurance that somebody is watching for these kinds of attacks. The downside is that it can be pricier and more time consuming to use specialized tools and services.
- Increased encryption. End-to-end encryption can make it much harder for attacks to duplicate your website TLS/SSL certificates and find holes to launch an attack. While it’s not a perfect solution, incorporating increased encryption can be used with many other preventative measures.
- Using DNSSEC. DNSSEC is a verified label that helps keep your website DNS spoofing free. It can be difficult to configure and keep all information private, so using this solution may require some professional guidance.
- Keeping TLS certificates current and updated. A lot of people forget that TLS/SSL certificates are powerful tools to help keep your website secure. In fact, man-in-the-middle attacks are usually only possible because an attacker is able to strip a site of its TLS/SSL certificates. Using powerful certificate management can keep attackers from using DNS spoofing.
To be prepared against DNS spoofing and poisoning attacks, your solution can encompass several precautions. One of the most important preventative measures to take is to use proper TLS/SSL management support. Venafi is ready to help you protect against DNS spoofing with this proper certificate management. Download our TLS/SSL Machine Identity Management Guide to get started protecting your sites against DNS spoofing and poisoning.