Difference between revisions of "DNS spoofing"
(→Mechanism) |
(→Mechanism) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 4: | Line 4: | ||
In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for [[Internet service provider]]s ([[Internet service provider|ISP]]), they usually configure their [[nameserver]]s to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the [[Internet service provider|ISP]] and not require the series of lookups normally required. | In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for [[Internet service provider]]s ([[Internet service provider|ISP]]), they usually configure their [[nameserver]]s to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the [[Internet service provider|ISP]] and not require the series of lookups normally required. | ||
| − | This mechanism, however, is the target for the ''Spoofing'' attacks. In these attacks, the attacker aims legitimate [[DNS resolver]]s to have an attacker's IP address cached as a false [[DNS record]]. | + | This mechanism, however, is the target for the ''Spoofing'' attacks. In these attacks, the attacker aims legitimate [[DNS resolver]]s to have an attacker's IP address cached as a false [[DNS record]]. Most commonly, this false record can be an [[A record]] or [[NS record]]. |
For example, the attacker would send a fake resolutions to legitimate DNS resolver and seek the attacker's IP address to be cached instead of or in addition to the legitimate IP address. The attacker then could display a fake login page and harvest users' logins and passwords. In the ''Man-In-The-Middle Attack'', the attacker would use the harvested logins and passwords to access the legitimate IP address, so the victim would have regular experience working with familiar resource without knowledge that the attacker is between the victim and the legitimate resource. | For example, the attacker would send a fake resolutions to legitimate DNS resolver and seek the attacker's IP address to be cached instead of or in addition to the legitimate IP address. The attacker then could display a fake login page and harvest users' logins and passwords. In the ''Man-In-The-Middle Attack'', the attacker would use the harvested logins and passwords to access the legitimate IP address, so the victim would have regular experience working with familiar resource without knowledge that the attacker is between the victim and the legitimate resource. | ||
==Prevention== | ==Prevention== | ||
| − | [[DNSSEC]], [[SSL certificate]]s and [[digital signature]]s are most common tools used to prevent | + | [[DNSSEC]], [[SSL certificate]]s and [[digital signature]]s are most common tools used to prevent the ''Spoofing''. |
Latest revision as of 13:58, 6 March 2019
Any DNS spoofing (alternatively known as DNS cache poisoning, DNS tampering, DNS hijacking, or DNS redirection; hereinafter, the Spoofing) is the attack against the DNS protocol that aims to alternate IP addresses cached by DNS resolvers for a DNS record of the attacker choice.
Mechanism
In order to increase speed of DNS resolutions for the end user, as well as to decrease costs for Internet service providers (ISP), they usually configure their nameservers to cache DNS responses for the period defined in the TTL value of the requested record set. This allows for all concurrent requests to be served from the local cache at the ISP and not require the series of lookups normally required.
This mechanism, however, is the target for the Spoofing attacks. In these attacks, the attacker aims legitimate DNS resolvers to have an attacker's IP address cached as a false DNS record. Most commonly, this false record can be an A record or NS record.
For example, the attacker would send a fake resolutions to legitimate DNS resolver and seek the attacker's IP address to be cached instead of or in addition to the legitimate IP address. The attacker then could display a fake login page and harvest users' logins and passwords. In the Man-In-The-Middle Attack, the attacker would use the harvested logins and passwords to access the legitimate IP address, so the victim would have regular experience working with familiar resource without knowledge that the attacker is between the victim and the legitimate resource.
Prevention
DNSSEC, SSL certificates and digital signatures are most common tools used to prevent the Spoofing.
