DNS SPOOFING



DNS is a Domain Name System,  which has all the websites names and its corresponding IP address in its database in the form of records and are placed in a hierarichal manner in the Internet. When ever a client access a particular website say 

www.google.com, a request will be first sent to the Local DNS server for the ip address of that particular website. Then the DNS server checks for that particular ip address in its data base and once it finds it,  then it immediately sends a response to the client browser regarding the IP information. If it doesnot find in its database,  then it will forward the request to the top level DNS server in the hierarchy. In this way, the DNS server resolves name resolution 
 requests coming from the clients.  

 When an entry in DNS server is modified in such a way that,  a particular website to an ip address which is not the  expected one. Then the clients, whose requests are being resloved by this DNS server, may be redirected to another  website than the expected one.This kind of situation occurs, when the entry is not added correctly in the DNS server  or any unauthorised user has modified the DNS entries. The process of modifying the DNS entries in an unauthorised manner is known as DNS Spoofing.

DNS spoofing is mainly achieved by using the following methods.

DNS cache Poisioning andDNS ID spoofing. The DNS Cache Poisioning method, can be explained with an example. Consider two DNS servers – one which is Local DNS server with domain name www.abc.com  for your organisation and the other is a comprimised DNS server with domain name www.attacker.com. The attacker adds some customised entries, which includes legitimate website names with his  own relevant ip address in the compromised DNS server. After that he sends a name resolution request for the ip address  information of the domain www.attacker.com to the DNS server of the domain www.abc.com. Since the DNS server, doesnt have the information in its data base, it sends response to the attacker after getting the information from the  comprimised DNS Server. During this transaction period, the DNS server of www.abc.com not only recieves the ip address information of www.attacker.com but also the other records present in the DNS server in to its cache. This is normally  referred to as cache poisioning. At this moment, if  a legtimate user connects  to local DNS server for name resolution  he will be misguided to other website than the expected one.

 In case of DNS ID spoofing, when a name resolve request is generated by the client to send it to the DNS serever,   an ID will be generated along with the request. The client will accept the response for his request, if the ID of  the response packet matches with the requested packet ID. But this way of name resolution is not secured. Because any unauthorised user can sniff the request and can create a response packet on the fly with the same id  and ip  information contained in it is not the expected one. This kind of DNS attack is known as DNS ID Spoofing.  

Detecting and analysing the attacks through Intrusion Detection System

 The above alert is generated by an IDS Sensor, since it has received a DNS query response with a Time to Live  value of 1 Minute. Here the TTL of value of 1 Minute will store the information in the  clinets pc cache for less  period of time, so that it can eleminate the evidence of spoofed response. Also this response doesnot have Authority Record. This kind of attacks are severe as they lead the user to other site than expected. Sometimes it will lead to providing personal information by the user to a non legitimate site.


The Signature used by IDS to detect this attack is alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; metadata:policy security-ips drop, service dns; classtype:bad-unknown; sid:254; rev:7;)

Here the signature tell the IDS sensor to generate an alert, when  a UDP packet from Internet with source port as 53, reaches any system in the internal network with the following content in the packet   81 80 00 01 00 01 00 00 00 00 and C0 0C 00 01 00 01 00 00 00|<|00 04. This alert is displayed with  a classtype  bad-unknown.

Tips for Preventing DNS Spoofing

Maintain the DNS software Up-to-Date.Allow updates and zone transfers from trusted sources.
Maintain a Separate DNS server for public services and for internal services.Use secure key for signing the updates recieved from other DNS server. This will  avoid updates from untrusted sources.

Share on Google Plus

About Cyber Security Awareness

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.