DNS

Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses.

This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses. 

Information from all the domain name servers across the Internet are gathered together and housed at the Central Registry. Host companies and Internet Service Providers interact with the Central Registry on a regular schedule to get updated DNS information. 

DNS Spoofing is a type of computer attack wherein a user is forced to navigate to a fake website disguised to look like a real one, with the intention of diverting traffic or stealing credentials of the users. Spoofing attacks can go on for a long period of time without being detected and can cause serious security issues.

DNS spoofing, also referred to as "DNS cache poisoning" (and INCORRECTLY*), is a form of computer security hacking in which corrupt Domain Name Systemdata is introduced into the DNS resolver's cache, causing the name server to return an incorrect IP address. This results in traffic being diverted to the attacker's computer.

Normally, a networked computer uses a DNS server provided by an ISP or the computer user's organization.  Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or those serviced indirectly by its downstream server if applicable.

To perform a cache poisoning attack, the attacker exploits flaws in the DNS software. A server should correctly validate DNS responses to ensure that they are from an authoritative source; otherwise the server might end up caching the incorrect entries locally and serve them to other users that make the same request.

This attack can be used to redirect users from a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server and replaces them with the IP address of a server under their control. 

*DNS Spoofing vs. DNS Cache Poisoning

Often interpreted as the same type of attack, in reality these two techniques are technically different from one another. Generally speaking, we could say that DNS Cache Poisoning is one of the many ways to achieve DNS Spoofing, which refers to the wide range of existing attacks aimed at supplanting the information stored on DNS servers.

DNS Spoofing would represent the ultimate goal of the attack (to manage to change the registries stored on the DNS server in whatever way the attackers decide), for which different mechanisms are used. They include DNS Cache Poisoning, but also man-in-the-middle attacks, the use of fake base stations, and even compromising the security of the DNS server.

We can also see examples of DNS spoofing in attacks aimed at users. One of these would be supplanting the address of the DNS servers configured on our operating system or router.

DNS Cache Poisoning refers to the situation in which many end users use the same cache, where the registries that are stored correlate each IP address with a domain. In the event attackers manage to manipulate a DNS entry in this registry, the internet service providers that use this cache would accept it as authentic, even if it has been manipulated to point to a fake website.

In such a case, what we would have is a poisoned DNS cache that does not redirect traffic to the legitimate IP address when resolving a domain name. Obviously, poisoning this type of cache is not as easy as with the existing cache in a system or router, but technically it is possible and there are precedents.

DNS Hijacking

DNS hijacking takes advantage of how the Domain Name System functions as the internet's phone book—or more accurately, a series of phone books that a browser checks, with each book telling a browser which book to look in next, until the final one reveals the location of the server that hosts the website that the user wants to visit. 

"When you type a domain name like "google.com" into your browser, DNS servers hosted by third parties, like the site's domain registrar, translate it into the IP address for a server that hosts that website."

A DNS lookup is a convoluted process, and one that's largely out of the destination website's control. To perform that domain-to-IP translation, a your browser asks a DNS server—hosted by the your internet service provider—for the location of the domain, which then asks a DNS server hosted by the site's top-level domain registry (the organizations in charge of swathes of the web like .com or .org) and domain registrar, which in turn asks the DNS server of the website or company itself. A hacker who's able to corrupt a DNS lookup anywhere in that chain can send the visitor off in the wrong direction, making the site appear to be offline, or even redirecting users to a website the attacker controls.

Many cache poisoning attacks against DNS servers can be prevented by being less trusting of the information passed to them by other DNS servers, and ignoring any DNS records passed back which are not directly relevant to the query. Source port randomization for DNS requests, combined with the use of cryptographically-secure random numbers for selecting both the source port and the 16-bit cryptographic nonce, can greatly reduce the probability of successful DNS race attacks.

However, when routers, firewalls, proxies, and other gateway devices perform network address translation (NAT), or more specifically, port address translation (PAT), they may rewrite source ports in order to track connection state. When modifying source ports, PAT devices may remove source port randomness implemented by nameservers and stub resolvers.

Secure DNS uses cryptographic digital signatures signed with a trusted public key certificate to determine the authenticity of data. DNSSEC can counter cache poisoning attacks, but as of 2008 was not yet widely deployed.