CS406: Information Security

A DNS spoofing attack can be defined as the successful insertion of incorrect resolution information by a host that has no authority to provide that information.It may be conducted using a number of techniques ranging from social engineering through to exploitation of vulnerabilities within the DNS server software itself.Using these techniques, an attacker may insert IP address information that will redirect a customer from a legitimate website or mail server to one under the attacker’s control –thereby capturing customer information through common man-in-the-middle mechanisms.

According to the most recent "Domain Health Survey" (Feb 2003), a third of all DNS servers on the Internet are vulnerable to spoofing. 

Operating normally, a customer can expect to query their DNS server to discover the IP address of the named host they wish to connect to.The following diagram reflects this process. 

Fig 1: The Normal DNS Motion Process

1. The customer queries the DNS server –"What is the IP address of www.bank.com?"

2. The DNS responds to the customer query with "The IP address of www.bank.com is 150.10.1.21"

3. The Customer then connects to the host at 150.10.1.21 –expecting it to be www.bank.com. However, with a successful DNS spoofing attack, the process has been altered.The following diagram reflects this process. 

Fig 2: The DNS motion process having fallen victim to a DNS spoofing attack

1. The attacker targets the DNS service used by the customer and adds/alters the entry for www.mybank.com –changing the stored IP address from 150.10.1.21 to the attacker’s fake site IP address (200.1.1.10).

2. The customer queries the DNS server "What is the IP address of www.bank.com"

3. The DNS responds to the customer query with "The IP address of www.bank.com is 200.1.1.10" –not the real IP address.

4. The Customer then connects to the host at 200.1.1.10 –expecting it to be www.bank.com, but in fact reaching the attacker's fake site.