What are DNS Spoofing, DNS Hijacking, and DNS Cache Poisoning?
DNS Spoofing is a DNS attack that changes DNS records returned to a querier;DNS Hijacking is a DNS attack that tricks the end user into thinking they are communicating with a legitimate domain name; and DNS Cache Poisoning is a DNS attack targeting caching name servers. These terms are often used interchangeably and the differences among them are subtle. Here is a more detailed description of each DNS attack type:
DNS Hijacking
DNS Hijacking is perhaps the most generic term here, and generally, it covers the other two techniques. DNS Hijacking refers to any attack that tricks the end user into thinking he or she is communicating with a legitimate domain name when in reality it is communicating with a domain name or IP address that the attacker has set up. This is also sometimes called DNS Redirection.
There are many ways to perform DNS Hijacking, the most common way we see is used by a captive portal such as a pay-for-use WiFi hotspot: before the user pays for access, the hotspot service captures all DNS queries, and regardless of what was asked, it returns the IP address of the payment server so the user can purchase WiFi access.
Changing the client device setting to use a different DNS server is another common method of attack. The attacker could change the user’s DNS setting, so instead of using 8.8.8.8, it uses the IP address of a DNS server under the attacker’s control. When the user queries for bank.example.com, the attacker’s DNS server could return an IP address disguised as the target web site, or act as a proxy to capture all the data sent to the real web site. This is precisely what the DNSChanger trojan/malware did.
Another way is to gain unauthorized access to the authoritative DNS data, such as stealing someone’s password, exploiting the DNS entry system vulnerability, or some other clever technique. An example of this was recently in the news when the Department of Homeland Security (DHS) issued an emergency directive (https://cyber.dhs.gov/ed/19-01/) due to malicious tampering of government DNS entries.
Some attacks play on the fact that certain domains look similar when using different fonts or encoding. This type of attack is also known as a homograph attack. One of the earlier phishing attempts was the use of the domain name paypai.com. The attacker registered the domain name, and spelled the letter i in uppercase to make it look like a lower-case L, fooling many into thinking this is the legitimate PayPal.com. With support for international characters in DNS now, it is even more difficult to spot the difference between similarly spelled terms such as ėxample.com1 and example.com.
Then, there are browser-based attacks, that use all sorts of JavaScript or web browser tricks to hide the URL bar, so when the user is, in fact, visiting www.internetbadguys.com, the URL bar in the browser may display bank.example.com. Some version of this attack uses JavaScript so the user cannot scroll up to the top of the web page to see the URL bar. A recent attack dubbed “Inception Bar” targets mobile Chrome browsers that perform this type of attack, displaying a false URL bar.
DNS Spoofing
DNS Spoofing refers to any attack that tries to change the DNS records returned to a querier to a response the attacker chooses. This can include some of the techniques described in DNS Hijacking, the use of cache poisoning, or some type of man-in-the-middle style attack. Sometimes, we use the term DNS Hijacking and DNS Spoofing interchangeably.
As described in the DNS Hijacking section, this technique is widely used by pay-for-use WiFi hotspots at airports and hotels, and sometimes as a means of quarantine by network security teams to isolate an infected device.
Cache Poisoning
Cache poisoning is a more specific type of attack targeting caching name servers in an attempt to control the answers stored in the DNS cache. There are different methods to carry out this attack, but they typically involve flooding the recursive server with forged DNS responses, changing the query ID in each response hoping to guess the right ID at just the right time.
This attack is very difficult to detect, and very difficult to guard against unless DNSSEC is fully deployed. But if the attackers were successful, the payoff can be huge. The attackers can potentially impact thousands of users who use the recursive name server that hold the corrupted answers, and this poisoned entry can propagate to other caching servers and affect more users.
To learn more about cache poisoning, click here
1 When encoded properly in DNS Punycode, this domain becomes xn--xample-h4a.com
