DNS poisoning is a technique that tricks a DNS server into believing that is has received authentic inforamtion when, in reality, it has not. It results in substitution of a false Ineternet provider address at the domain name service level where web addresses are converted into numeric internet provider addresses. It allows attacker to replace IP address DNS entries for a target site on a given DNS server with IP addresses of the server he/she controls. Attacker can create fake DNS entries for files with same names as that of target server.

The DNS provides a way for computers to translate the domain names we see to the physical IPs they represent. When you load a webpage, your browser will ask its DNS server for the IP of the host you requested, and the server will respond. Your browser will then request the webpage from the server with the IP address that the DNS server supplied.

To launch a DNS poisoning attack, follow these steps:
+ set up a fake website on your computer
+ Install treewalk and modify the file mentioned in the readme.txt to your IP address. Treewalk will make you the DNS server.
+ Modify the file dns-spoofing.bat and replace the IP address with your IP address.
+ Trojanize the dns-spoofing.bat file and send it
+ When the host clicks the Trojanned file, it will replace DNS-entry in her TCP/IP properties to that of your machine.
+ You will become the DNS server and her DNS requests will go through you

There are four types of DNS poisoning attacks using which you can compromise the target system:

+ Intranet DNS spoofing (local network)
When an attacker performs DNS poisoning on a locl area network (LAN), it is called intranet DNS spoofing. An attacker can perform intranet DNS spoofing attack with the help of the ARP poisoning technique. THis is usually conducted on a swithced LAN. To perform this attack, you must be connected to the LAN and be able to sniff the traffic or packets.
Once the attacker succeds in sniffing the ID of the DNS request from the intranet, he or she can send a malicious reply to the sender before the actual DNS server.

+ Internet DNS spoofing (remote network)
Internet DNS poisoning is also known as remote DNS poisoning. This attack can be performed either on asingle or multiple victims anywhere in the world. In order to perform this attack, you need to set up a rouge DNS server with a static IP address.
Internet DNS spoofing is performed when the victim’s system is connedted to the Internet. It is done with the help of Trojans. It is one of the MITM types of attacks, where the attacker changers the primary DNS entries of the victim’s computer. The attacker replaces the victim’s DNS IP address with the fake IP address that refers t the attacker’s system; thus all traffic will be redirected to the attacker’s machine. Now the aatcker can easily sniff the victim’s confidential information.

+ Proxy server DNS poisoning
In the proxy server DNS posoning technique, tha taattacker changes the proxy server setting of the victim to that of the attacker. This is done with the help of a Trojan. This redirects the victim’s request to the attacker’s fake website where the attacker can sniff the confidential information of the victim.

+ DNS cache poisoning
The DNS system uses cache memory to hold the recently resolved domain names. It is populated with recently used domain names and respective IP address entries. When the user request comes, the DNS resolver first checks the DNS cache; if the domain name that the user requested is found in the cache, then the resolver sends its respective IP address quickly. Thus, it redueces the traffic and time of DNS resolving.
Attacker target this DNS cache and make changes or add entries to the DNS cache. The attacker replaces the user-requested IP address with the fake IP address. Then, after when user requests that domain name, the DNS resolver checks the entry in the DNS cache and picks the matched entry. Thus, the victim is rediirected to the attacker’s fake server instead of the authorized server.

*** How to defend against DNS spoofing:
Resolve all DNS queries to local DNS servers
Block DNS requests from going to external severs
Implement DNSSEC
Configure the DNS resolver to use a new random source prot from its available range for each outgoing query
Configure the firewall to restrict external DNS lookup
Restrict the DNS recuring service, either full or partial, to authorized users
Use DNS Non-Existent Domain rate limitng
Secure your internal machines
Implement IDS and deploy it correctly
Use static ARP and IP table
Use SSH encryption
Use sniffing detection tools
Do not open suspicious files
Always use trusted proxy sites
Audit your DNS server regularly to remove vulnerabilities

Hope you have found this short article useful!

Photo: Intro to DNS Poisoning

DNS poisoning is a technique that tricks a DNS server into believing that is has received authentic inforamtion when, in reality, it has not. It results in substitution of a false Ineternet provider address at the domain name service level where web addresses are converted into numeric internet provider addresses. It allows attacker to replace IP address DNS entries for a target site on a given DNS server with IP addresses of the server he/she controls. Attacker can create fake DNS entries for files with same names as that of target server.

The DNS provides a way for computers to translate the domain names we see to the physical IPs they represent. When you load a webpage, your browser will ask its DNS server for the IP of the host you requested, and the server will respond. Your browser will then request the webpage from the server with the IP address that the DNS server supplied.

To launch a DNS poisoning attack, follow these steps:
+ set up a fake website on your computer
+ Install treewalk and modify the file mentioned in the readme.txt to your IP address. Treewalk will make you the DNS server.
+ Modify the file dns-spoofing.bat and replace the IP address with your IP address.
+ Trojanize the dns-spoofing.bat file and send it
+ When the host clicks the Trojanned file, it will replace DNS-entry in her TCP/IP properties to that of your machine.
+ You will become the DNS server and her DNS requests will go through you

There are four types of DNS poisoning attacks using which you can compromise the target system:

+ Intranet DNS spoofing (local network)
When an attacker performs DNS poisoning on a locl area network (LAN), it is called intranet DNS spoofing. An attacker can perform intranet DNS spoofing attack with the help of the ARP poisoning technique. THis is usually conducted on a swithced LAN. To perform this attack, you must be connected to the LAN and be able to sniff the traffic or packets.
Once the attacker succeds in sniffing the ID of the DNS request from the intranet, he or she can send a malicious reply to the sender before the actual DNS server.

+ Internet DNS spoofing (remote network)
Internet DNS poisoning is also known as remote DNS poisoning. This attack can be performed either on asingle or multiple victims anywhere in the world. In order to perform this attack, you need to set up a rouge DNS server with a static IP address.
Internet DNS spoofing is performed when the victim's system is connedted to the Internet. It is done with the help of Trojans. It is one of the MITM types of attacks, where the attacker changers the primary DNS entries of the victim's computer. The attacker replaces the victim's DNS IP address with the fake IP address that refers t the attacker's system; thus all traffic will be redirected to the attacker's machine. Now the aatcker can easily sniff the victim's confidential information.

+ Proxy server DNS poisoning
In the proxy server DNS posoning technique, tha taattacker changes the proxy server setting of the victim to that of the attacker. This is done with the help of a Trojan. This redirects the victim's request to the attacker's fake website where the attacker can sniff the confidential information of the victim.

+ DNS cache poisoning
The DNS system uses cache memory to hold the recently resolved domain names. It is populated with recently used domain names and respective IP address entries. When the user request comes, the DNS resolver first checks the DNS cache; if the domain name that the user requested is found in the cache, then the resolver sends its respective IP address quickly. Thus, it redueces the traffic and time of DNS resolving.
Attacker target this DNS cache and make changes or add entries to the DNS cache. The attacker replaces the user-requested IP address with the fake IP address. Then, after when user requests that domain name, the DNS resolver checks the entry in the DNS cache and picks the matched entry. Thus, the victim is rediirected to the attacker's fake server instead of the authorized server.

*** How to defend against DNS spoofing:
Resolve all DNS queries to local DNS servers
Block DNS requests from going to external severs
Implement DNSSEC
Configure the DNS resolver to use a new random source prot from its available range for each outgoing query
Configure the firewall to restrict external DNS lookup
Restrict the DNS recuring service, either full or partial, to authorized users
Use DNS Non-Existent Domain rate limitng
Secure your internal machines
Implement IDS and deploy it correctly
Use static ARP and IP table
Use SSH encryption
Use sniffing detection tools
Do not open suspicious files
Always use trusted proxy sites
Audit your DNS server regularly to remove vulnerabilities

Hope you have found this short article useful!

 

 

Advertisements