Domain Name Server spoofing (DNS) is a cyberattack where an attacker directs the victim's traffic to a malicious site (instead of a legitimate IP address). Attackers use the method of" poisoning " the DNS cache to intercept Internet traffic and steal credentials or confidential information. DNS cache poisoning and DNS spoofing are identical concepts that are often used interchangeably. A hacker wants to trick users into entering their personal data on an insecure site. How can he achieve this? Using DNS cache poisoning. To do this, the hacker substitutes or replaces DNS data for a specific site, and then redirects the victim to the attacker's server instead of the legitimate server. In this way, the hacker achieves his goal, because he has a wide range of opportunities: he can make a phishing attack, steal data, or even inject malware into the victim's system.
One of the most common problems is employees working remotely. Can you be sure that their Wi-Fi network is secure? Hackers can crack a weak Wi-Fi network password in a matter of hours.
Another problem is the open Ethernet ports that are accessible to everyone in corridors, lobbies, and other public places. Just imagine: a visitor can connect an Ethernet cable to their device that is intended for the lobby display. How can a hacker use access to your local network obtained by one of the methods listed above? First, they can create a phishing page to collect credentials and other valuable information. They can then host this site either on a local network or on a remote server, and they only need one line of Python code to do this. After that, the hacker can start monitoring the network using special tools, such as Betterrcap. At this stage, the hacker examines the network and performs a reconnaissance, but traffic still passes through the router. An attacker can then perform Address Resolution Protocol (ARP) substitution to change the network structure from within. The ARP protocol is used by network devices to associate a device's MAC address with an IP address on the network. Bettercap will send messages, forcing all devices on the network to assume that the hacker's computer is a router. Thanks to this trick, a hacker will be able to intercept all network traffic passing through the router. Once the traffic is redirected, an attacker can run the Bettercap module to spoof DNS. This module will search for any requests to the target domain and send false responses to the victim. The false response contains the IP address of the attacker's computer, forwarding all requests to the target site to the phishing page created by the hacker. Now the hacker sees traffic intended for other devices on the network, collects the entered credentials, and inserts malicious downloads.
If the hacker cannot access the local network, he will resort to one of the following attacks.
* A sudden increase in DNS activity from a single source against a single domain indicates a potential birthday attack.
* An increase in DNS activity from a single source, which requests multiple domain names from your DNS server without recursion, indicates an attempt to select a record for subsequent poisoning.
In addition to DNS monitoring, you must also monitor Active Directory events and file system behavior to detect abnormal activity in time. Even better, use analytics to find the relationship between all three vectors. This will provide valuable contextual information to strengthen your cybersecurity strategy.
Make sure that you are using the latest versions of the BIND and DNS software and thus have all the latest vulnerability fixes. If possible, for example, in the case of remote employees, organize your work so that all remote computers are connected via a VPN. This will protect traffic and DNS queries from being tracked locally. In addition, encourage employees to create strong passwords for Wi-Fi networks to also reduce risks.
Finally, use encrypted DNS queries. Domain Name Service Security Modules (DNSSEC)is a DNS protocol that uses signed DNS queries to prevent spoofing. When using DNSSEC, the DNS resolver needs to verify the signature on an authorized DNS server, which slows down the entire process. As a result, DNSSEC is not yet widely used.
DNS over HTTPS (DoH) and DNS over TLS (DoT) are competing specifications for the next version of DNS and, unlike DNSSEC, are designed to ensure the security of DNS queries without compromising speed. However, these solutions are not ideal, as they can slow down or completely make local DNS monitoring and analysis impossible. It is important to note that DoH and DoT can bypass parental controls and other DNS-level locks installed on the network. Despite this, Cloudflare, Quad9, and Google all have public DoT-enabled DNS servers. Many new clients support these modern standards, although their support is disabled by default. You can find more information about this in our DNS security post.
DNS spoofing replaces the legitimate IP address of the site with the IP address of the hacker's computer. Detecting spoofing is very difficult, because from the end user's point of view, they enter a completely normal site address in the browser. Despite this, it is possible to stop such an attack. Risks can be reduced by using DNS monitoring, for example, from Varonis, as well as the DNS encryption standard over TLS (DoT).
The main threat posed by a DNS spoofing attack is data theft through phishing pages. In addition, there is a risk of introducing malicious software under the guise of uploaded files that look real. Also, if the system is updated over the Internet, an attacker can block the update by changing the DNS records so that they do not lead to the desired site.
Original author: MICHAEL RAYMOND
What is DNS spoofing and cache poisoning?
Before we start talking about DNS cache poisoning, first let's remember what DNS and DNS caching are. DNS is a worldwide directory of IP addresses and domain names. We can say that this is a kind of telephone directory of the Internet. DNS translates user-friendly addresses, such as varonis.com, in IP addresses, such as 92.168.1.169, which are used by computers to work on the network. DNS caching is a system for storing addresses on DNS servers around the world. To speed up the processing of your DNS queries, developers have created a distributed DNS system. Each server stores a list of DNS records known to it, which is called a cache. If the desired IP address is not found on the DNS server closest to you, it queries the higher-level DNS servers until the address of the website you are trying to access is found. After that, your DNS server stores this new entry in your cache to get a faster response next time.Examples and consequences of DNS cache poisoning
The concept of DNS is not adapted to the specifics of the modern Internet. Of course, DNS has been improved over time, but now a single misconfigured DNS server is still enough for millions of users to feel the consequences. An example is the WikiLeaks attack, when attackers used DNS cache poisoning to intercept traffic, redirecting it to their own clone of the site. The purpose of this attack was to divert traffic from WikiLeaks, and it achieved some success. DNS cache poisoning is very difficult to detect for ordinary users. Currently, the DNS system is built on trust, and this is its weak point. People trust DNS too much and never check if the address in their browser matches what they really need. Attackers take advantage of this carelessness and inattention to steal credentials and other important information.How does DNS cache poisoning work?
DNS cache poisoning means that the DNS server closest to you contains a record that sends you to the wrong address, which is usually controlled by an attacker. There are a number of methods that attackers use to poison the DNS cache.Intercept LAN traffic using ARP protocol spoofing
You'll be surprised how vulnerable a local network can be. Many administrators may be sure that they have blocked all possible access, but, as you know, the devil is in the details.One of the most common problems is employees working remotely. Can you be sure that their Wi-Fi network is secure? Hackers can crack a weak Wi-Fi network password in a matter of hours.
Another problem is the open Ethernet ports that are accessible to everyone in corridors, lobbies, and other public places. Just imagine: a visitor can connect an Ethernet cable to their device that is intended for the lobby display. How can a hacker use access to your local network obtained by one of the methods listed above? First, they can create a phishing page to collect credentials and other valuable information. They can then host this site either on a local network or on a remote server, and they only need one line of Python code to do this. After that, the hacker can start monitoring the network using special tools, such as Betterrcap. At this stage, the hacker examines the network and performs a reconnaissance, but traffic still passes through the router. An attacker can then perform Address Resolution Protocol (ARP) substitution to change the network structure from within. The ARP protocol is used by network devices to associate a device's MAC address with an IP address on the network. Bettercap will send messages, forcing all devices on the network to assume that the hacker's computer is a router. Thanks to this trick, a hacker will be able to intercept all network traffic passing through the router. Once the traffic is redirected, an attacker can run the Bettercap module to spoof DNS. This module will search for any requests to the target domain and send false responses to the victim. The false response contains the IP address of the attacker's computer, forwarding all requests to the target site to the phishing page created by the hacker. Now the hacker sees traffic intended for other devices on the network, collects the entered credentials, and inserts malicious downloads.
If the hacker cannot access the local network, he will resort to one of the following attacks.
Spoofing responses using a "birthday"attack
DNS does not authenticate responses to recursive queries, so the first response is stored in the cache. Attackers use the so-called "birthday paradox" to try to anticipate and send a fake response to the requester. The "birthdays" attack uses mathematics and probability theory to predict future events. In this case, the attacker tries to guess the transaction ID of your DNS query, and if successful, the fake DNS record gets to you before the legitimate response. The success of the birthday attack is not guaranteed, but in the end, the attacker will be able to put a fake response in the cache. After the attack is successful, the hacker will be able to see traffic from the fake DNS record until the end of the DNS record's life cycle (TTL).Kaminsky's exploit
The Kaminsky exploit is a type of "birthday party" attack. Dan Kaminsky, who discovered this vulnerability, first presented it at the BlackHat conference in 2008. The essence of the exploit is that the hacker first sends a request to the DNS resolver for a non-existent domain, such as fake.varonis.com. After receiving such a request, the DNS resolver redirects it to an authoritative name server to get the IP address of the false subdomain. At this stage, the attacker overloads the DNS resolver with a huge number of fake responses in the hope that one of these fake responses will match the transaction ID of the original request. If successful, the hacker replaces the IP address in the DNS server cache, for example, as in our example with varonis.com. The resolver will continue to respond to all requesters that the fake IP address is varonis.com it is present until the life cycle of the DNS record expires.How can I detect DNS cache poisoning?
How can I detect that the DNS cache is poisoned? To do this, you need to monitor your DNS servers for possible attack indicators. However, no one has the computing power to handle such volumes of DNS queries. The best solution is to apply data security analytics to your DNS monitoring. This will allow you to distinguish normal DNS behavior from malicious attacks.* A sudden increase in DNS activity from a single source against a single domain indicates a potential birthday attack.
* An increase in DNS activity from a single source, which requests multiple domain names from your DNS server without recursion, indicates an attempt to select a record for subsequent poisoning.
In addition to DNS monitoring, you must also monitor Active Directory events and file system behavior to detect abnormal activity in time. Even better, use analytics to find the relationship between all three vectors. This will provide valuable contextual information to strengthen your cybersecurity strategy.
Ways to protect against DNS cache poisoning
In addition to monitoring and analytics, you can make changes to the DNS server settings:- limit recursive queries to protect against potential target cache poisoning;
- store only data related to the requested domain;
- limit responses to only those that relate to the requested domain.;
- ask your clients to use the HTTPS protocol.
Make sure that you are using the latest versions of the BIND and DNS software and thus have all the latest vulnerability fixes. If possible, for example, in the case of remote employees, organize your work so that all remote computers are connected via a VPN. This will protect traffic and DNS queries from being tracked locally. In addition, encourage employees to create strong passwords for Wi-Fi networks to also reduce risks.
Finally, use encrypted DNS queries. Domain Name Service Security Modules (DNSSEC)is a DNS protocol that uses signed DNS queries to prevent spoofing. When using DNSSEC, the DNS resolver needs to verify the signature on an authorized DNS server, which slows down the entire process. As a result, DNSSEC is not yet widely used.
DNS over HTTPS (DoH) and DNS over TLS (DoT) are competing specifications for the next version of DNS and, unlike DNSSEC, are designed to ensure the security of DNS queries without compromising speed. However, these solutions are not ideal, as they can slow down or completely make local DNS monitoring and analysis impossible. It is important to note that DoH and DoT can bypass parental controls and other DNS-level locks installed on the network. Despite this, Cloudflare, Quad9, and Google all have public DoT-enabled DNS servers. Many new clients support these modern standards, although their support is disabled by default. You can find more information about this in our DNS security post.
DNS spoofing replaces the legitimate IP address of the site with the IP address of the hacker's computer. Detecting spoofing is very difficult, because from the end user's point of view, they enter a completely normal site address in the browser. Despite this, it is possible to stop such an attack. Risks can be reduced by using DNS monitoring, for example, from Varonis, as well as the DNS encryption standard over TLS (DoT).
Cache Poisoning: Frequently Asked Questions
Check out common questions about DNS spoofing and their answers.Are DNS cache poisoning and DNS cache spoofing the same thing?
Yes, cache poisoning and cache substitution refer to the same type of cyberattack.How does DNS cache poisoning work?
Cache poisoning tricks your DNS server by storing a fake DNS record on it. After that, the traffic is redirected to the server chosen by the hacker, and data is stolen there.What security measures can be applied to protect against DNS cache poisoning?
Site owners can perform monitoring and analytics to detect DNS spoofing. You can also upgrade your DNS servers to use Domain Name Service (DNSSEC) security modules or another encryption system, such as DNS over HTTPS or DNS over TLS. Ubiquitous use of full end-to-end encryption, such as HTTPS, can also prevent DNS spoofing. Secure Cloud Access Brokers (CASBs) are extremely useful for this purpose. End users can reset a potentially spoofed DNS cache by periodically clearing their browser's DNS cache, or after connecting to an insecure or public network. Using a VPN can protect against DNS spoofing on the local network. Avoid suspicious links. This will help you avoid the risk of infection of your browser's cache.How do I check if you've been attacked with cache poisoning?
Once the DNS cache has been poisoned, this is difficult to detect. A much better tactic is to monitor your data and protect your system from malware in order to avoid data leaks due to DNS cache poisoning. Visit our interactive cyberattack lab to see how we use DNS monitoring to detect real-world cybersecurity threats.How does DNS communication work?
When the end user enters a URL, for example Varonis.com, in your browser, the following happens::- First, the browser checks its local cache for already saved DNS data.
- If this data is missing, it will request a higher-level DNS server, which is usually your router on the local network.
- If the router also doesn't have the required DNS record in its cache, then the request is sent further to higher-level DNS providers, such as Google, Cloudflare, or Quad9.
- This higher-level server receives a DNS query and checks its cache.
4.1. If there is no data in the cache, a recursive DNS resolver will start, and first the root DNS servers will be queried with the question "who processes .com".
4.2. The resolver will then send a request to the .com top-level domain server to find out "who processes it Varonis.com", to which the top-level domain responds with the authorized name server for this URL.
4.3. After that, the resolver sends a request to the authorized name server with the question "what is the IP address of the user?". Varonis.com", to which the authorized server responds with the domain's IP address. - DNS data is then sent back up the chain until it reaches the end user's device. Along the entire route, each of the DNS servers will write the received response to its cache for further use.
How do attackers poison the DNS cache?
There are many ways to poison the cache, and here are the most common ones: force the victim to click on a malicious link that uses embedded code to change the DNS cache in the user's browser; hacking the local DNS server using an "intermediary attack". The aforementioned "proxy attack" uses Address Resolution Protocol (ARP) spoofing to redirect DNS requests to a DNS server controlled by the attacker.What is DNS cache poisoning?
DNS cache poisoning is the act of replacing a record in the DNS database with an IP address leading to a malicious server controlled by an attacker.How is DNS spoofing performed?
A hacker performs a DNS spoofing attack by accessing and modifying the DNS cache or redirecting DNS queries to their own DNS server.What is meant by DNS spoofing?
The term "DNS spoofing" means that the URL entered by the user in the browser, for example varonis.com, doesn't actually lead to the correct official IP address corresponding to this URL. Instead, the user is redirected to a malicious server controlled by the hacker.What is the danger of DNS spoofing?
DNS spoofing is dangerous because by its very nature, the Domain Name Service (DNS) is considered reliable, so it is often not protected by any encryption. This means that hackers can substitute entries in the DNS cache for further data theft, malware injection, phishing, and blocking updates.The main threat posed by a DNS spoofing attack is data theft through phishing pages. In addition, there is a risk of introducing malicious software under the guise of uploaded files that look real. Also, if the system is updated over the Internet, an attacker can block the update by changing the DNS records so that they do not lead to the desired site.
Original author: MICHAEL RAYMOND
