DNS poisoning, also known as DNS spoofing, is one of the most common domain name system (DNS) attacks out there today. The attack is used by hackers looking to infiltrate enterprises of all sizes and gain access to sensitive data, including user login credentials, financial details, and email exchanges. Clearly, it’s crucial that managed services providers (MSPs) understand how this threat typically occurs, and the steps they can take to prevent DNS poisoning. To fully understand how DNS spoofing occurs and ways to protect against it, it’s important to first understand DNS as a whole.
What is DNS?
The domain name system, or DNS, is a hierarchical naming system for computers, services, and other internet resources. Essentially, it’s the phonebook of the internet. For every domain name there’s a corresponding set of 10 or so numbers that comprise the domain name’s IP address. Straightforward, reader-friendly domain names were created so users wouldn’t have to remember complicated IP addresses for every website they visit. It is the responsibility of the DNS to pair domain names with internet IP addresses so users can access websites. Here’s how the process works:
- Every time you enter a domain name, your browser will first search its own domain to see if the website you are searching for is hard-coded into its system. For example, if you work for Google, gmail.com would already be coded into your system. This would make your system the authoritative name server for that particular address. More often than not, you are searching for IP addresses outside of your domain.
- Next the DNS resolver will check its own cache of IP addresses for a match. Think of the cache as a historical database of previously searched domain names and IP addresses. Cached addresses typically have a limited lifespan of a few hours. This is called a time to live, or TTL.
- When no address is found in the cache, the DNS resolver queries other DNS servers to see if they can identify the correct IP address or locate the authoritative name server for that particular domain. Communication between DNS servers is constant and results in the quick identification of IP addresses, allowing users to navigate the web with little interruption.
What is a DNS poisoning attack?
A DNS poisoning attack, also known as a DNS spoofing attack, is when attackers infiltrate the DNS query process to redirect users to fake websites. These fake websites are run by the attacker and can often look remarkably like the real thing, luring unsuspecting users to enter highly sensitive data, like credit card numbers and login credentials, or inadvertently download viruses and other forms of malware.
This type of attack is considered a DNS cache poisoning because the illegitimate IP address lives in the cache of the server. Attackers can even manipulate the TTL so that their fake websites live in the cache beyond the typical cache lifespan of a few hours. The risk involved with cache poisoning goes beyond the DNS server that was originally infected. Any DNS server that queries the infected server and receives the imitation IP address for a specific website is at risk.
For example, if a DNS server starts unknowingly directing its customers to a fake banking website using a scam IP address it picked up, other DNS servers who pick up the IP address of the bank from the poisoned DNS server will also receive the corrupted address, thus exposing their customers to the attackers.
Can DNS be hacked?
Your DNS server is considered hacked when an attacker has found their way into your router and gained control of your DNS settings. This is known as a form of man-in-the-middle attack and can happen if a user unknowingly downloads malware.
A hacker with control of your DNS settings is able to manipulate your system so that, instead of querying secure DNS servers, it queries the hacker’s server and leads you to a host of imitation sites. Similar to DNS poisoning, this can lead users to unwittingly put their banking details or login and password credentials in the hands of attackers.
A hacker with control of your DNS settings also has the ability to redirect users to fake sites that convince the user they have downloaded a virus, even if they actually haven’t, and trick them into buying the hacker’s software to remove it. The scariest part about all of this? By the time a user realizes their DNS server has been compromised by an attacker, it’s often too late.
How does a DNS attack work?
Attackers prey on DNS vulnerabilities and take advantage of the constant communication between DNS servers to execute an attack. The goal of a DNS attack is to direct users to an IP address of the hacker’s choosing. Sometimes it’s to an imitation website, as is the case of DNS spoofing. Other times it’s to a targeted website that the attacker knows is unprepared to handle a large, sudden increase in traffic. This unexpected onslaught of visitors causes the targeted website to crash—a form of a distributed denial of service (DDoS) attack.
There are a number of ways an attacker can find their way into your DNS system, including:
- Forged Responses: Attackers will often develop imposter DNS servers that attempt to submit the IP address of a fake website in response to a query before a legitimate DNS server has the opportunity to do so. If their address is accepted first, the user is then led to the hacker’s server and imitation websites.
- Weak Passwords: A U.K. study of 2,205 people found that a shocking 82% had never changed the default password on their wireless router. The use of default password, or passwords with little-to-no variation, including numbers, unique characters, and letters, provide attackers the opportunity to easily crack into a router and gain access to the DNS server.
- Spam Emails: Attackers will send spam emails laden with fear-inducing language designed to manipulate users into clicking on certain URLs. When these infected URLs are clicked it allows the hacker to infect the system with a code that sends the DNS server to untrustworthy websites.
- Banner Ads and Images: Just like in spam emails, an attacker can use fake banner ads and images on websites to trick users into clicking on them, thus opening the door for DNS poisoning to occur.
Protecting against a DNS attack
There are a number of DNS security best practices out there to help you ward off attackers and keep your customers’ systems safe and secure. Since DNS servers are in constant communication with one another, the more companies that implement these best practices, the greater protection there is as a whole. Here are the most important steps you should be taking to prevent DNS poisoning:
- Security Extensions: The Internet Engineering Task Force (IETF) developed DNS Security Extensions (DNSSEC) to address security threats against DNS. This is widely considered one of the greatest measures of defense out there. DNSSEC relies on digital signatures and complex encryption methods to verify the validity and authenticity of a DNS request.
- Active Monitoring: It’s important to monitor DNS data and keep an eye out for new patterns, like the appearance of a new external host, that could indicate the presence of an attacker.
- Patches: DNS servers are subject to vulnerabilities. Staying on top of the latest patches can safeguard against attackers looking to exploit these well-known vulnerabilities.
- DNS Updates: Updated versions of DNS come equipped with port randomization and cryptographically secure transaction IDs to help prevent against DNS attackers. Always make sure the server you are using is up to date.
- Password Policies: Convincing your customers to implement password protection policies is of utmost importance. A weak router password could put every device and user within their company in jeopardy.
- HTTPS Indicators: The HTTPS indicator should be in the browser address bar at all times. This lets you know that the site is valid. If the appearance of the HTTPS indicator is in flux, it could signal the beginning of an attack.
DNS poisoning, man-in-the-middle schemes, and DDoS tactics are just a few of the many DNS attacks out there. It’s important to stay on top of these cybersecurity threats and the latest risk-mitigation techniques.