MITM Part 2 : DNS SPOOFING
This is the part 2 of the Man In The Middle Attack. In my previous article I talked about ARP poisoning and now in this article I will be talking about DNS Spoofing. Before talking about DNS spoofing I will give a small introduction to what DNS is and then talk about DNS spoofing.
How do you connect to the internet?
Before talking in technical terms lets talk about a small real life scenario. If you are to call someone, what would you do first. You will be looking up their number in your phone contacts and then call them. This is the same type of scenario that happens when we try to connect to the internet.
Lets say that we want to connect to www.google.com, we type it in our web browser and then it loads up. In order for your browser to know the location of www.google.com it will be getting the help from DNS which stands for Domain Name System. Simply put DNS is the phone book of the internet which has 100s of millions of addresses for different URL’s. Now lets see how it works behind the scene.
DNS
These logical addresses are typically the IP addresses. URL will simply find the IP address for the specific URLS. At the early stages of the internet there weren’t many websites in use. So simply a single person took the job to connect the clients with the requested URL. This is time consuming and also a lot of users may have to wait in line while that person finishes the request one by one. This however is cumbersome so a guy named Paul Mockapetris came up with an idea to make this process be handled by a machine. That is how the beginning of DNS came to be. Now that we know a little history lets look into the process of DNS.
URL’s are human readable, not machine readable. For that each URL will have a logical address to identify them. These logical addresses are typically IP addresses. The DNS (Domain Name System) main job is to convert the URL and find its IP address. Now lets breakdown the URL. See the below image.
As you can see from the above picture, the URL is broken down into different parts. the subdomain, domain name and top level domain. The DNS will be mainly working with the Root Domain to find the IP address of a specific URL. After entering our URL out web browser will be connecting with the Recursive Server, these servers are basically like the people who say “I know you are looking for”, they will have information about other DNS servers which will hold the IP address of the website you are looking for. Then the URL will be going to the Root Server, this server will then find the information about the top-level domain, these servers will be checking the .com , .org , .lk of the URL. Once your URL reaches the correct Root server it then goes to the TLD (Top Level Domain)server, here the server will check if it has the Domain Name in its list. (TLD searches for the domain name not top level domain. It is confusing I know 😢). Then finally it will go to the Authoritative Name Server which will have the correct IP address and will return it back to the browser.
That’s something large to take in right, to put it simply when you type in a URL the domain name system will find you the correct IP address. This process is known as the Domain Name Resolution.
Note : There are millions and millions of domain names (URL) that are being used today. One server will not be able to handle them all. There are multiple different DNS servers located all around the globe. For instance, there are major Root Servers located in each country. And another point to note is that each ISP (Internet Service Provider) will have a recursive server, if that server is not to your liking you guys can simply use google provided recursive server. For more information about DNS click here.
What is DNS Spoofing?
The above mentioned steps are true when we try to access a website for the very first time, if we are visiting a website it is normally stored in the DNS cache in our local machine. For windows users, you can type in the command ipconfig/displaydns to view your local DNS cache.
I put “at the moment of writing” in the above picture. The reason is that these cache will automatically get deleted after its TTL (Time TO Live)ends. Then it refreshes the cache again with the newer values. You can manually clear you DNS cache as well by typing in the command ipconfig/flushdns if you are a windows user. And recursive Servers will also having cache capabilities so that they do not need to do the whole process again. Now to the main topic at hand DNS spoofing….
DNS spoofing is one kind of Man In The Middle (MITM) Attack. For this type of attack the attacker will attack both your machine and the recursive DNS server. The first step in this attack is to attack both the client’s and server’s DNS cache. Then they will add the Fake site’s DNS information into the server and the client will also lookup the fake server for the specific site. Lets say for instance that the attacker created a fake Facebook login page and has attacked the client and the server with the fake ones DNS information. The next time that the client tries to connect to Facebook they will be redirected to the fake site and will lose their login credentials. Look at the below diagram for the simplistic view for this attack.
DNS Spoofing Prevention and Protection
There are certain ways that we can use to detect, prevent and protect ourselves from DNS spoofing.
- Servers can use monitoring tools to monitor their network traffic as well as detect any spoofing that might happen.
- Using DNSSEC (DNS Security) : DNSSEC is an extension that will improve DNS. DNSSEC doesn’t do encryption but it does allow the servers to protect sensitive data such as IP addresses and host information such as OS, CPU version.
- Using SSL : By using SSL both parties of a communication must verify the others, when an attacker tries to redirect to fake site the SSL certificate will be false and the web browser will be alerting it is dangerous to enter the site. The users must be aware of this and exit the fake site. If the users are careless they will be victim to DNS Spoofing. And two way SSL provides message level security so even if the attacker gets hold of the message they will not be able to decrypt it.
- Flush DNS cache : If an attacker has poisoned your DNS cache it will stay that way until its TTL (Time To Live ) ends. So it is best to clear your DNS cache manually. For windows user the command
ipconfig/flushdnswill help to clear their DNS cache.
These are some of the main prevention and protection methods, other than that keeping antivirus up to date and also using a private paid VPN(Never use free VPN ) will help to increase your security against these types of attacks.