DNS poisoning is a technique that tricks a DNS
server into believing that is has received authentic
inforamtion when, in reality, it has not. It results in
substitution of a false Ineternet provider address at
the domain name service level where web addresses
are converted into numeric internet provider
addresses. It allows attacker to replace IP address
DNS entries for a target site on a given DNS server
with IP addresses of the server he/she controls.
Attacker can create fake DNS entries for files with
same names as that of target server.
The DNS provides a way for computers to translate
the domain names we see to the physical IPs they
represent. When you load a webpage, your browser
will ask its DNS server for the IP of the host you
requested, and the server will respond. Your browser
will then request the webpage from the server with
the IP address that the DNS server supplied.
To launch a DNS poisoning attack, follow these
steps:
+ set up a fake website on your computer
+ Install treewalk and modify the file mentioned in
the readme.txt to your IP address. Treewalk will
make you the DNS server. + Modify the file dns-spoofing.bat and replace the IP
address with your IP address.
+ Trojanize the dns-spoofing.bat file and send it + When the host clicks the Trojanned file, it will
replace DNS-entry in her TCP/IP properties to that of
your machine. + You will become the DNS server and her DNS
requests will go through you
There are four types of DNS poisoning attacks using
which you can compromise the target system: + Intranet DNS spoofing (local network)
When an attacker performs DNS poisoning on a locl
area network (LAN), it is called intranet DNS
spoofing. An attacker can perform intranet DNS
spoofing attack with the help of the ARP poisoning
technique. THis is usually conducted on a swithced
LAN. To perform this attack, you must be connected
to the LAN and be able to sniff the traffic or packets.
Once the attacker succeds in sniffing the ID of the
DNS request from the intranet, he or she can send a
malicious reply to the sender before the actual DNS
server. + Internet DNS spoofing (remote network)
Internet DNS poisoning is also known as remote
DNS poisoning. This attack can be performed either
on asingle or multiple victims anywhere in the world.
In order to perform this attack, you need to set up a
rouge DNS server with a static IP address.
Internet DNS spoofing is performed when the
victim's system is connedted to the Internet. It is
done with the help of Trojans. It is one of the MITM
types of attacks, where the attacker changers the
primary DNS entries of the victim's computer. The
attacker replaces the victim's DNS IP address with
the fake IP address that refers t the attacker's
system; thus all traffic will be redirected to the
attacker's machine. Now the aatcker can easily sniff
the victim's confidential information. + Proxy server DNS poisoning
In the proxy server DNS posoning technique, tha
taattacker changes the proxy server setting of the
victim to that of the attacker. This is done with the
help of a Trojan. This redirects the victim's request
to the attacker's fake website where the attacker can
sniff the confidential information of the victim. + DNS cache poisoning
The DNS system uses cache memory to hold the
recently resolved domain names. It is populated
with recently used domain names and respective IP
address entries. When the user request comes, the
DNS resolver first checks the DNS cache; if the
domain name that the user requested is found in the
cache, then the resolver sends its respective IP
address quickly. Thus, it redueces the traffic and
time of DNS resolving.
Attacker target this DNS cache and make changes or
add entries to the DNS cache. The attacker replaces
the user-requested IP address with the fake IP
address. Then, after when user requests that domain
name, the DNS resolver checks the entry in the DNS
cache and picks the matched entry. Thus, the victim
is rediirected to the attacker's fake server instead of
the authorized server.
How to defend against DNS spoofing:
Resolve all DNS queries to local DNS servers
Block DNS requests from going to external severs
Implement DNSSEC
Configure the DNS resolver to use a new random
source prot from its available range for each
outgoing query
Configure the firewall to restrict external DNS lookup
Restrict the DNS recuring service, either full or
partial, to authorized users
Use DNS Non-Existent Domain rate limitng
Secure your internal machines
Implement IDS and deploy it correctly
Use static ARP and IP table
Use SSH encryption
Use sniffing detection tools
Do not open suspicious files
Always use trusted proxy sites
Audit your DNS server regularly to remove
vulnerabilities
server into believing that is has received authentic
inforamtion when, in reality, it has not. It results in
substitution of a false Ineternet provider address at
the domain name service level where web addresses
are converted into numeric internet provider
addresses. It allows attacker to replace IP address
DNS entries for a target site on a given DNS server
with IP addresses of the server he/she controls.
Attacker can create fake DNS entries for files with
same names as that of target server.
The DNS provides a way for computers to translate
the domain names we see to the physical IPs they
represent. When you load a webpage, your browser
will ask its DNS server for the IP of the host you
requested, and the server will respond. Your browser
will then request the webpage from the server with
the IP address that the DNS server supplied.
To launch a DNS poisoning attack, follow these
steps:
+ set up a fake website on your computer
+ Install treewalk and modify the file mentioned in
the readme.txt to your IP address. Treewalk will
make you the DNS server. + Modify the file dns-spoofing.bat and replace the IP
address with your IP address.
+ Trojanize the dns-spoofing.bat file and send it + When the host clicks the Trojanned file, it will
replace DNS-entry in her TCP/IP properties to that of
your machine. + You will become the DNS server and her DNS
requests will go through you
There are four types of DNS poisoning attacks using
which you can compromise the target system: + Intranet DNS spoofing (local network)
When an attacker performs DNS poisoning on a locl
area network (LAN), it is called intranet DNS
spoofing. An attacker can perform intranet DNS
spoofing attack with the help of the ARP poisoning
technique. THis is usually conducted on a swithced
LAN. To perform this attack, you must be connected
to the LAN and be able to sniff the traffic or packets.
Once the attacker succeds in sniffing the ID of the
DNS request from the intranet, he or she can send a
malicious reply to the sender before the actual DNS
server. + Internet DNS spoofing (remote network)
Internet DNS poisoning is also known as remote
DNS poisoning. This attack can be performed either
on asingle or multiple victims anywhere in the world.
In order to perform this attack, you need to set up a
rouge DNS server with a static IP address.
Internet DNS spoofing is performed when the
victim's system is connedted to the Internet. It is
done with the help of Trojans. It is one of the MITM
types of attacks, where the attacker changers the
primary DNS entries of the victim's computer. The
attacker replaces the victim's DNS IP address with
the fake IP address that refers t the attacker's
system; thus all traffic will be redirected to the
attacker's machine. Now the aatcker can easily sniff
the victim's confidential information. + Proxy server DNS poisoning
In the proxy server DNS posoning technique, tha
taattacker changes the proxy server setting of the
victim to that of the attacker. This is done with the
help of a Trojan. This redirects the victim's request
to the attacker's fake website where the attacker can
sniff the confidential information of the victim. + DNS cache poisoning
The DNS system uses cache memory to hold the
recently resolved domain names. It is populated
with recently used domain names and respective IP
address entries. When the user request comes, the
DNS resolver first checks the DNS cache; if the
domain name that the user requested is found in the
cache, then the resolver sends its respective IP
address quickly. Thus, it redueces the traffic and
time of DNS resolving.
Attacker target this DNS cache and make changes or
add entries to the DNS cache. The attacker replaces
the user-requested IP address with the fake IP
address. Then, after when user requests that domain
name, the DNS resolver checks the entry in the DNS
cache and picks the matched entry. Thus, the victim
is rediirected to the attacker's fake server instead of
the authorized server.
How to defend against DNS spoofing:
Resolve all DNS queries to local DNS servers
Block DNS requests from going to external severs
Implement DNSSEC
Configure the DNS resolver to use a new random
source prot from its available range for each
outgoing query
Configure the firewall to restrict external DNS lookup
Restrict the DNS recuring service, either full or
partial, to authorized users
Use DNS Non-Existent Domain rate limitng
Secure your internal machines
Implement IDS and deploy it correctly
Use static ARP and IP table
Use SSH encryption
Use sniffing detection tools
Do not open suspicious files
Always use trusted proxy sites
Audit your DNS server regularly to remove
vulnerabilities
Post a Comment