DNS spoofing

There are a number of ways to tamper with name res­o­lu­tion on the internet. One such attack is DNS spoofing which involves creating fake IP addresses. Here you will learn how it is done, what it is designed to do, the different methods for this kind of attack, and how you can protect yourself against it.

The Domain Name System (DNS) is a dis­trib­uted system used worldwide for trans­lat­ing internet domain names into IP addresses. The DNS returns an IP address that is assigned to a specific domain name. This process is referred to as name res­o­lu­tion.

For name res­o­lu­tion to work, the IP address of the DNS server must be stored on each device. The device addresses its DNS request to this server which executes the name res­o­lu­tion and returns a response. If no DNS server has been stored on the device, the one for the local router will au­to­mat­i­cal­ly be used.

The term spoofing means “deception” or “forgery”. DNS spoofing refers to a variety of sit­u­a­tions in which DNS name res­o­lu­tion is tampered with – specif­i­cal­ly to the IP address of a domain name being faked. This means that the device es­tab­lish­es a con­nec­tion to the fake IP address and data traffic is redi­rect­ed to a fake server. Here is an example:

Since name res­o­lu­tion largely takes place in the back­ground, the victim usually does not notice any tampering. A par­tic­u­lar­ly insidious char­ac­ter­is­tic of DNS spoofing is the fact that the correct domain name is displayed in the browser.

• d1. The client (e.g. the browser on the device) first requests the IP address for the host name example.com from the DNS server.
• d2. The client receives a response to the request, but it contains a fake IP address. The con­nec­tion to the actual server for example.com is not es­tab­lished.
• h1. Instead, the client sends the request to the malicious host behind the faked IP address.
• h2. The malicious host returns what appears to be a le­git­i­mate website page to the client. However, the fake domain name is missing the security cer­tifi­cate which makes the attack visible.
• (A, B, C): These are different attack points for DNS spoofing: on the client-side or local router, on the network con­nec­tion, and on the DNS server.

DNS spoofing is primarily used by attackers to carry out attacks – usually to steal sensitive user data. However, le­git­i­mate companies also resort to DNS spoofing from time to time. It is a known fact that some internet service providers (ISPs) have used DNS spoofing to enforce cen­sor­ship and for ad­ver­tis­ing purposes.

Attackers use DNS spoofing for phishing and pharming attacks with the goal of in­ter­cept­ing sensitive user data. DNS spoofing makes the victim believe that they’ve ended up on a le­git­i­mate domain and uses the victim’s trust to infect them with malware and infect their own system.

Most people are unaware that they are using a DNS server belonging to their internet service provider. This is normally pre­con­fig­ured in the local router. Therefore, every DNS request is under the control of the internet service provider.

For example, internet service providers can purposely rig their DNS tables to implement state cen­sor­ship re­quire­ments. In many countries, this is done to prevent users from accessing file-sharing or porn domains. If a user tries to access a blocked domain, they will be redi­rect­ed to a warning page instead. However, these re­stric­tions can be cir­cum­vent­ed with minimal effort by using an un­cen­sored DNS server.

They use the same trick (i.e. redi­rect­ing the user to a different page when accessing certain domains) to collect user data for ad­ver­tis­ing purposes. Internet service providers use DNS hijacking to redirect the user to a specific page when they enter non-existent or mis­spelled domains. This page may play ad­ver­tise­ments or create user profiles to then sell at a profit.

The DNS is a fun­da­men­tal­ly useful tech­nol­o­gy. Nearly every con­nec­tion uses it for name res­o­lu­tion. In other words, DNS spoofing can affect every single con­nec­tion es­tab­lished by the client. Whether the victim is accessing a website or sending an email: if the IP address of the server in question is spoofed, an attacker can access their data.

DNS spoofing poses the following risks in par­tic­u­lar:

• Con­fi­den­tial data theft: Spear phishing and pharming attacks are used to steal sensitive data such as passwords. These methods are often used to hack into computer systems or for various scams.
• System malware infection: The victim is tricked into in­stalling malware on their own system. This opens the door to further attacks and extensive espionage.
• Col­lec­tion of com­pre­hen­sive user profiles: Personal data is collected in the process and then sold or used for ad­di­tion­al targeted spear phishing attacks.
• May pose a per­sis­tent threat: If a malicious DNS server is set up on the system, com­mu­ni­ca­tion will be com­pro­mised from this point on. Even temporary fake DNS responses may remain in the cache and can cause damage over a longer time.

Here is a concrete example. A wave of DNS spoofing attacks occurred in the spring of 2020 during the COVID-19 pandemic. This involved a router hijacking, which is when a malicious IP address is entered for the DNS server on the router. The attack was made possible due to an insecure admin access attempt on the router. The victim was suddenly displayed a warning that was allegedly from the World Health Or­ga­ni­za­tion. It said that they were about to install a COVID-19 in­for­ma­tion app. In reality, the software was Trojan malware. If a trusting victim were to install the Trojan, it would search the local system and try to access sensitive data. The goal was to create a com­pre­hen­sive profile that could be used in future spear phishing attacks against the victim. The in­ter­cept­ed data included the following:

• Cookies (browser)
• Browsing history
• Payment in­for­ma­tion (browser)
• Saved login in­for­ma­tion (browser)
• Saved form in­for­ma­tion (browser)
• Cryp­tocur­ren­cy wallets
• All text files on the device
• Databases for two-factor au­then­ti­ca­tion (2fa)

The following three attack types refer to the diagram above (A-C).

This type of DNS spoofing attack involves malicious tampering on the local device or home router. To the victim, every­thing seems fine at first. The device connects to the DNS server as usual. However, malicious IP addresses may be returned for the requested host names.

With this kind of attack, the threat will remain until the tampering has been corrected. Nev­er­the­less, the attacker needs an attack vector in order to tamper with anything. This can be a technical factor, such as open admin access, a weak password, or something in a similar vein. An attacker can also use social en­gi­neer­ing to trick the victim into making the change them­selves in good faith.

The DNS spoofing attack, known as a “local hijack”, sets the IP address of the DNS server to a malicious address in the network settings of the local device.

This change can be detected by the victim and easily reversed. However, this form of tampering is often ac­com­pa­nied by malware which can restore the malicious entry if the victim changes it.

Most operating systems use a “hosts” file to enable name res­o­lu­tion of certain domains to be performed on the local system. If a malicious entry is placed in this file, data traffic will be redi­rect­ed to a server being con­trolled by the attacker.

This type of tampering is permanent. However, it can easily be detected by an ex­pe­ri­enced victim. To fix this problem, all you need to do is change the hosts file.

The IP address of the internet service provider’s DNS server is set on the local router by default. In a “router hijack”, this is replaced by a malicious address. This attack poses a threat to all data traffic passing through the router. Since there are usually multiple devices in a household that will use the router to establish a con­nec­tion, several parties can fall victim to the attack.

Many users are unaware that they can configure their router them­selves. So, this attack often remains un­de­tect­ed for a long time. If any problems occur later, the victims are more likely to suspect that the source is their own device rather than the router. Therefore, it’s well worth con­sid­er­ing that the router might be the source of the error in the event of any weird problems.

This type of DNS spoofing is a man-in-the-middle attack. The attacker pretends to be the victim’s DNS server and sends them a malicious response. This type of attack works because DNS traffic uses the un­en­crypt­ed User Datagram Protocol (UDP). There is no way for the victim to verify the au­then­tic­i­ty of the DNS response.

Other kinds of attacks such as ARP spoofing and MAC spoofing can be used to gain access to the local network. The use of en­cryp­tion tech­nolo­gies protects against many man-in-the-middle attacks.

This type of DNS spoofing attack targets a le­git­i­mate DNS server and can affect a large number of users. It’s a high-level type of attack, as multiple security mech­a­nisms usually have to be overcome to hack the server.

DNS servers are arranged in hi­er­ar­chies and com­mu­ni­cate with one another. An attacker can use IP spoofing to pretend to be one of these servers and trick a server into accepting a false IP address for a domain. The server places the malicious entry in its cache, and begins “poisoning” it.

Any request to the server after the cache is poisoned will result in the malicious entry being returned to the victim. The threat will remain until the entry is removed from the cache. The DNSSEC extension serves as a server-side security mechanism. It can be used to secure server com­mu­ni­ca­tion within the DNS.

This type of attack, also known as a “rogue hijack”, is probably the most complex kind of DNS attack. This involves an attacker taking control of a le­git­i­mate DNS server. Once com­pro­mised, even the most current DNS en­cryp­tion will provide no pro­tec­tion. However, the content en­cryp­tion should at least alert the victim to the attack.

As you can see, DNS spoofing is a serious threat. For­tu­nate­ly, there are a number of simple measures you can take that provide effective pro­tec­tion against DNS spoofing.

En­cryp­tion methods generally offer two key ad­van­tages:

1. Data is protected from unau­tho­rized access by third parties
2. It ensures the au­then­tic­i­ty of the com­mu­ni­cat­ing party

The latter point is critical in the fight against DNS spoofing. If an attacker tries to pretend to be a le­git­i­mate host, this will result in a cer­tifi­cate error on the user side and the spoofing attempt will be detected.

For a basic level of security, you should secure as many con­nec­tions as possible using the common transport en­cryp­tion method. Prefer­ably, websites should be accessed in the browser using HTTPS. The popular browser add-on HTTPS Every­where secures con­nec­tions to websites that transfer content over both HTTP and HTTPS. You should also make sure that the con­nec­tions con­fig­ured in your email client (e.g. IMAP, POP3, and SMTP con­nec­tions) use secure protocols such as TLS and SSL.

If your con­nec­tions are secured by transport en­cryp­tion, you should at least be able to detect a DNS spoofing attack. Since the malicious host does not have the security cer­tifi­cate that the real host would have, the browser and email client will send an alert when a con­nec­tion is es­tab­lished. This gives you a chance to terminate the con­nec­tion and implement ad­di­tion­al security measures.

While transport en­cryp­tion secures your data transfer, the con­nec­tion to the DNS server is still vul­ner­a­ble and is con­sid­ered to be the weakest link. However, there are dedicated solutions for DNS request en­cryp­tion on the user side. The most notable of these are DNSCrypt, DNS over HTTPS (DoH), and DNS over TLS (DoT). These tech­nolo­gies all provide pro­tec­tion against dangerous man-in-the-middle attacks. However, not one of these three solutions comes pre-in­te­grat­ed with any standard operating systems in a way that is suitable for the mass market. Fur­ther­more, the DNS server must also support the re­spec­tive security tech­nol­o­gy for DNS en­cryp­tion to work.

In addition to transport en­cryp­tion and securing the DNS server con­nec­tion, using a virtual private network (VPN) can also help to protect against DNS spoofing. When using a VPN, all con­nec­tions are routed through an encrypted tunnel. However, you should keep in mind that the IP address of a DNS server can still be stored in most VPN programs. If this is a malicious address, the VPN’s pro­tec­tion against DNS spoofing will be rendered in­ef­fec­tive.

If you don’t want to invest a lot of time in choosing a VPN provider, you can use the free Warp app from Cloud­flare. It provides VPN func­tion­al­i­ty and DNS en­cryp­tion over Cloud­flare’s public DNS resolver network 1.1.1.1 (see below for more in­for­ma­tion).

In addition to the added security, it has an extremely user-friendly interface. The app is currently available on mobile devices and will also be available on Windows and macOS desktop computers in the future.

One of the most effective security measures you can take against DNS spoofing is using a public DNS resolver. The setup is simple enough for prac­ti­cal­ly any user to be able to configure their own device to use. All you have to do is change the DNS server entered on your system. For example, you can use the resolver network provided by the non-profit or­ga­ni­za­tion Quad9, which bears the same name.

Using a public DNS resolver provides the following ad­van­tages:

• High-speed DNS responses: Large DNS resolver networks operate dozens of servers around the world. Thanks to Anycast routing, the phys­i­cal­ly closest server is always used for name res­o­lu­tion which is reflected in the short response times.
• High level of data pro­tec­tion and anonymity: Many internet service providers sell their customers’ data that is generated by DNS traffic. These popular public resolvers generally store little to no user data, offering a high level of data pro­tec­tion and anonymity.
• Does not enforce cen­sor­ship measures: State cen­sor­ship reg­u­la­tions are only valid within national borders. Internet service providers usually operate within their customers’ country of residence and are required to enforce state cen­sor­ship. However, a resolver network based abroad can offer its services worldwide without having to consider state-mandated cen­sor­ship.
• Supports modern security standards: Large public DNS resolver networks spe­cial­ize in re­spond­ing to DNS requests. They are often trail­blaz­ers in using modern security standards, such as DNSSEC, DoH, DoT, and DNSCrypt.
• Blocks malicious domains: Using a public DNS resolver network can also help protect against malware and phishing, as these keep black­lists of known malicious domains. At­tempt­ing to access these domains will result in the user being redi­rect­ed to a warning page.

The following table provides an overview of popular public DNS resolver networks. In keeping with the con­ven­tion, each resolver network is con­fig­ured re­dun­dant­ly over two IP addresses. If the first of the two servers is not available, the second one is used. Some resolver networks offer ad­di­tion­al IP addresses which can be used to activate ad­di­tion­al functions such as for the pro­tec­tion of minors.