7.6 DNS Poisoning
DNS Poisoning Techniques
- DNS poisoning is a technique that trick a DNS server into believing that it has received authentic information when, in reality, it has not.
- It results in substitution of a false IP address at the DNS level where web addresses are converted into numeric IP addresses.
- It allows attacker to replace IP address entries for a target site on a given DNS server with IP address of the server he/she controls.
- Attacker can create fake DNS entries for the server (containing malicious content) with same names as that of the target server.
Intranet DNS Spoofing (Local Network)
- For this technique, you must be connected to the local area network (LAN) and be able to sniff packets.
- It works well against switches with ARP poisoning the router.
Internet DNS Spoofing (Remote Network)
- Internet DNS Spoofing, attacker infects Rebecca's machine with a Trojan and changes her DNS IP address to that of the attacker's.
Proxy Server DNS Poisoning
- Attacker sends a Trojan to Rebecca's machine that changes her proxy server settings in Internet Explorer to that of the attacker's and redirects to fake website.
DNS Cache Poisoning
- DNS cache poisoning refers to altering or adding forged DNS records into the DNS resolver cache so that a DNS query is redirected to a malicious site.
- If the DNS resolver cannot validate that the DNS responses have come from an authoritative source, it will cache the incorrect entries locally and serve them to users who make the same request.
How to Defend Against DNS Spoofing
- Resolve all DNS queries to local DNS server.
- Block DNS requests from going to external servers.
- Configure firewall to restrict external DNS lookup.
- Implement IDS and deploy it correctly.
- Implement DNSSEC.
- Configure DNS resolver to use a new random source port for each outgoing query.
- Restrict DNS recuring service, either full or partial, to authorized users.
- Use DNS Non-Existent Domain (NXDOMAIN) Rate Limiting.
- Secure your internal machines.
Q1) Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B. How do you prevent DNS spoofing? (Select the Best Answer.)
- Install DNS logger and track vulnerable packets
- Disable DNS timeouts
- Install DNS Anti-spoofing
- Disable DNS Zone Transfer
A1) Implement DNS Anit-Spoofing measures to prevent DNS Cache Pollution to occur.