Most of your communication on the Internet will involve DNS, or Domain Name Service. DNS is what translates the domain names you and I understand (like www.ChuckEasttom.com) into IP addresses that computers and routers understand. DNS poisoning uses one of several techniques to compromise that process and redirect traffic to an illicit site, often for the purpose of stealing personal information.
Here is one scenario whereby an attacker might execute a DNS poisoning attack:
First the attacker creates a phishing website. It spoofs a bank that we will call ABC Bank. The attacker wants to lure users there so he can steal their passwords and use those on the real bank website.
First the attacker creates a phishing website. It spoofs a bank that we will call ABC Bank. The attacker wants to lure users there so he can steal their passwords and use those on the real bank website.
Since many users are too smart to click on links, he will use DNS poisoning to trick them.
The attacker creates his own DNS server. (Actually, this part is relatively easy.) Then he puts two
records in that DNS server. The first is for the ABC Bank website, pointing to his fake site rather
than the real bank site. The second entry is for a domain that does not exist. The attacker can search
domain registries until he finds one that does not exist. For illustration purposes, we will refer to this
as XYZ domain.
records in that DNS server. The first is for the ABC Bank website, pointing to his fake site rather
than the real bank site. The second entry is for a domain that does not exist. The attacker can search
domain registries until he finds one that does not exist. For illustration purposes, we will refer to this
as XYZ domain.
Then the attacker sends a request to a DNS server on the target network. That request purports to be from any IP address within the target network and is requesting the DNS server resolve the XYZ domain.
Obviously the DNS server does not have an entry for the XYZ domain since it does not exist. So it
begins to propagate the request up its chain of command eventually to its service provider DNS server.
At any point in that process the attacker sends a flood of spoofed responses claiming to be from a DNS server that the target server is trying to request records from but are actually coming from his DNS server and offering the IP address for XYZ domain. At that point the hacker’s DNS server offers to do a zone transfer, exchanging all information with the target server. That information includes the spoofed address for ABC Bank. Now the target DNS server has an entry for ABC Bank that points to the hacker’s website rather than the real ABC Bank website. Should users on that network type in the URL for ABC Bank, their own DNS server will direct them to the hacker’s site.
This attack, like so many, depends on vulnerabilities in the target system. A properly configured
DNS server should never perform a zone transfer with any DNS server that is not already authenti-
cated in the domain. However, the unfortunate fact is that there are plenty of DNS servers that are
not properly configured.
DNS server should never perform a zone transfer with any DNS server that is not already authenti-
cated in the domain. However, the unfortunate fact is that there are plenty of DNS servers that are
not properly configured.
0 Comments