Threat actors never rest. They are always looking for new ways in which to target users and the companies that provide services to them. Some of the exploits they use are based on the fundamental mechanics of how the modern web works, which is exactly where DNS cache poisoning and spoofing come into play. These are insidious subversions of the normal web’s operation, and it can be hard even to know that you’ve been hit! So let’s take a few minutes to learn what these attack methods entail and what you can do to minimize your risk.
What Is DNS?
DNS is short for Domain Name System. Basically, it’s the system that translates the URL that you type into your browser’s address bar into an IP address. That is the specific network location of the computer that has the data you want.
How Does DNS Normally Work?
When you type in a web address, there are a few things that happen before the site is displayed. Modern computers and connections are so fast that it can seem to be an instant process, but there’s actually a heck of a lot going on under the hood!
The first thing your computer does is to check whether you’ve visited the site before. If you have, the IP address of the server you are looking for may be stored in a DNS cache on your computer.
If the computer doesn’t have that information on hand, it asks the DNS for the correct IP address associated with the URL you typed in. DNS servers are usually automatically detected and assigned on a network. So your ISP will likely have its own DNS servers that intercept your browser’s request for an IP address. You can also manually specify which DNS servers to use either on the device or on your router. Google’s DNS servers are popular for this purpose because they are fast and safe.
DNS Cache Poisoning And Spoofing Explained
There are 2 ways in which this DNS process can be subverted:
DNS Cache Poisoning is almost self-explanatory. This happens when your computer stores an IP address for a fraudulent site in the local DNS cache. So when you type in the legitimate URL for that site, you’re still redirected to a malicious site. This is especially dangerous because if the site is a good copy, you won’t see anything amiss.
DNS Spoofing happens when your computer’s legitimate DNS request is redirected to a malicious server instead. This attack is dangerous in particular because there isn’t necessarily anything wrong on your end of the transaction. It’s a threat that manifests on the outside network.
How DNS Cache Poisoning And Spoofing Are Achieved
There are 3 main ways in which you can become the victim of either spoofing or poisoning:
Spam Attacks happen when you click on a malicious link, and it poisons your DNS cache. The links usually come in spam emails, some might even pretend to be from legitimate sources. It can also happen when you visit scummy sites and click on download links or adverts that contain code capable of poisoning your DNS cache.
Man-in-the-middle attacks are a classic hacker strategy. In these types of attacks, the threat actor intercepts messages between two legitimate communicators. In this case, that would be your computer and the DNS server. By spoofing the DNS server, your computer is tricked into thinking it’s dealing with the real DNS server, when in fact all your data is passing through a third computer that’s impersonating both sides of the conversation to each party, altering the information as it sees fit.
Hacking the DNS Server entails infiltrating the DNS server itself and then modifying its configuration. The hacker can change the listed IP address for a URL and redirect all users who use that DNS server to the malicious site.
Why Is This So Dangerous?
As you can imagine, this is a pretty dangerous situation, but you might be surprised how harmful it can be to get redirected to a malicious site with no obvious sign that this has happened.
First of all, this is a phishing dream. Usually, avoiding a phishing site is as easy as not clicking on links in emails. However, with spoofing and poisoning, you don’t have to do anything wrong to become a victim. Checking the URL doesn’t help either since it will appear correct, thanks to how DNS works. Once you’re on the fake site, its owners can grab whatever information you offer up, including passwords, personal info, and credit card details.
Must Read: How To Protect Yourself from Phishing
These spoofed sites can also infect your computer with malware and can deeply compromise a computer without sufficient protection. Most worryingly, even if the DNS server is cleaned and fixed, the DNS cache on the devices affected, will stay that way until they are cleared out as well. Something the DNS provider has no control over.
One of the biggest problems with this attack vector is the fact that often you, as the user, can’t really do anything to protect yourself when it’s the server or a man-in-the-middle pulling strings. Luckily, there are quite a few things you can do as an end-user to protect yourself:
The most obvious preventative measure is the same for most types of malicious phishing or malware attacks. All you have to do is avoid clicking on links you don’t 100% trust. Whether this is in an email, in a WhatsApp chain post, or on social media. Be careful where you click!
It’s also obviously common sense to regularly scan your computer for malware, viruses, adware, and other similar nasty pieces of software. Regardless of where they come from.
You can also manually “flush” the DNS cache on your device. The exact process to do this differs between operating systems and devices. So you’ll have to do a little Googling. Also, remember that you need to do it for every device you own.
Finally, use a VPN that offers end-to-end encrypted private DNS servers. This makes it virtually impossible to spoof the server or poison your cache. Along with all the other privacy and security benefits that come with VPN territory!