DNS Spoofing explained

28Jan08

Recently one of my readers requested that I elaborate on this topic. I had mentioned in a previous post that DNS Spoofing could contribute to phishing attacks. I have just been waiting for the time and inspiration to dive into the topic. Since Netflix hasn’t shipped me anything for some strange reason, and the wife isn’t too interested in my DVR’d episode of Fight Quest, may as well dive in.

So what is DNS Spoofing? Simply put, it is the process of making a DNS request point to a different IP address than it should point to. Here is an example of how this would work, and I will try to put it into terms for everyone to understand (fellow geeks bare with me.)

Joe jumps on his computer and wants to visit his favorite blog, so he types into his web browser: https://techdulla.wordpress.com (as if you didn’t see that self promotion coming.) What happens behind the scenes is that his computer makes a request to a DNS server to find out the address of the website. Telling the computer to visit a website is similar to me inviting you to my house for a SuperBowl party, problem is unless you know where I live you need an address because the name alone does not tell you enough information.

There are many DNS servers on the internet. If you are a home user your DNS server is likely assigned to you by your internet service provider (ISP). When your computer asks for a website address the DNS server sends the address back to your computer. This is great…you now know where you have to go. Back to real world analogy….what happens if I give you the wrong address to my house? You go to the wrong house! Same thing can happen to your computer. It assumes the address it received from the DNS server is 100% correct and as a result it will go there.

During proper operation this isn’t a problem, you get to your website and life is good. If your DNS server is pushing out spoofed addresses you could be in for big trouble. So how can DNS spoofing happen? There are multiple ways, and although I do not plan on covering them all I will go over a few major ones.

There are viruses and spyware on the net that once on your machine will either edit your HOSTS file entries for certain sites or will change your DNS server address. There is even javascript code that can be launched from a website and change your router DNS settings (though this does require your router password to still be default.)

By inserting entries into your HOSTS file your computer will not even do a DNS query. A HOSTS file is local to your computer and can be used to avoid using DNS. Not feasible for general purpose internet access, but can serve a specific process for certain sites. Anyway, if a bad guy puts an entry into your HOSTS file for http://www.bankofamerica.com then everytime you try to visit that site you will go where he wants you to go.

By changing your DNS server, the bad guy can force you to query his server for all addresses. In this case, every site you try to visit could be going to the wrong address. If the bad guy is smart, most of the DNS results will be correct as to not alert you that something is wrong, only certain sites will bring you to the wrong place.

When you go to the wrong site, you may or may not know it. Obviously if you try to visit cnn.com but end up at Girls Gone Wild, you will know something is wrong. If however you are trying to visit bankofamerica.com and the bad DNS server sends you to a replica phishing site you could end up handing over your information to a someone that should not have it.

So in a nutshell, that is DNS Spoofing. To avoid becoming a victim, keep your machine patched, run up to date antivirus software, always change default passwords, make sure you only use secure (HTTPS) sites for  entering account information, and pay attention.  If you think your computer may be compromised check your DNS settings and HOSTS file, or find a geek who can check it for you.

Advertisements


One Response to “DNS Spoofing explained”

  1. Spyware and malware cleaning therefore represents one way to prevent the situation above and anti-virus programs also should be activated to clear any potential infections.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: