Though the DNS server is robust, the attacker may reach your system anyways. These attacks are difficult to identify because the original destination site address in a browser’s address bar remains unchanged and can even appear legitimate. For example, instead of connecting to www.verizonwireless.com, you may be connected to a surrogate website whose web address will appear identical but is hosted on another server controlled by an attacker.
DNS spoofing occurs when an attacker gains control of your DNS server to resolve “bad” domains into IP addresses. You are redirected to malicious sites that steal or delete your personal information.
Example Of DNS Spoofing
A typical example of spoofed traffic that many Internet users are familiar with is the “Nigerian 419” scam. A spam email arrives from an unknown sender who claims to be seeking your help transferring large sums of money out of their country.
By clicking on the enclosed link, you are directed to enter your bank account details so that they can send funds to you. Unknown to you, however, these details are collected by scammers for identity theft purposes rather than being used by the person sending the email. This attack results in your personal information being used in other fraudulent activities without your knowledge.
What A Rogue DNS Server Looks Like?
After gaining complete control of all DNS traffic using this vulnerability, the attackers could redirect users trying to visit websites (targets) to web servers under their control. The re-directed users would be unaware of the change. It would allow the attackers to launch man-in-the-middle or phishing attacks against targets for an utterly undetectable compromise.
Impact Of DNS Spoofing
The impact of this vulnerability can range from an annoying prank to significant data theft. If the DNS server is configured with enough information (cache), it may be possible for attackers to force their requests through the spoofed DNS server and receive only valid responses.
An attacker could also use another form of traffic interception such as ARP poisoning or IP hijacking, which would make the traffic appear as it originated from the attacker’s network address. This could allow an attacker who has compromised other machines on your network to intercept your web browser activity while still appearing to have access to a valid IP address.
DNS Spoofing Attack Countermeasures
Create a local resolve. Conf file that contains the IP address of the DNS server to use, ensuring that it is primary and valid. This prevents attackers from manipulating your resolv.conf file by injecting their IP addresses into this area via network spoofing or other attacks against your system. This approach also allows you to specify several different DNS servers if one of them isn’t available.
How Can DNS Spoofing Be Prevented?
Secure your network from web browser down to Internet Service Provider level by implementing DNS security features such as Domain Name System Security Extensions (DNSSEC). Data is digitally signed in transit between DNS resolvers and authoritative name servers where it can’t be altered without being detected.
In addition to security features, another solution is to utilize a secure DNS service such as the one provided by OpenDNS. This service provides additional protection from malware and phishing attempts through its website “OpenDNS Security Labs.” One of the benefits of this service is that it can be configured on your router or individual computers, which means there’s no need to change any user settings.
As an added benefit for Synology NAS owners, RTT (Round-Trip-Time) monitors are built into their DNS servers, so you can easily block sites with suspicious activity.
To configure RTT monitoring:
- Launch the Synology Assistant and connect to your DiskStation
- Select Package Center
- From within Package Center, select the DNS Server task.
- Set RTT Monitoring to “Enable” and configure RTT monitor interval(s)
- Click OK
This network attack sends packets of data (such as email messages, webpage requests, or other forms of communication) to falsify the sender’s identity by modifying the source address information in IP datagram packet headers.
This modified packet will contain the source address of an innocent third party who may be completely unaware that their system is being used for this purpose. It appears as though the traffic is coming from them based on their IP address within these packets. Thus, they are being “spoofed.”
Spoofing can also occur through the use of compromised systems that have been configured to send packets with false source addresses.
This attack is often used to trick users into revealing sensitive information such as passwords or credit card numbers. It can also be used for more malicious purposes, such as launching Denial of Service (DoS) attacks against websites by exploiting the trust placed in IP addresses displayed to users based on DNS registrant information.
Conclusion
Spoofing may occur due to insecure configurations on systems that allow unauthenticated traffic or protocols that do not sufficiently validate their source address before accepting packets. The result of these security vulnerabilities allows attackers who are aware of them to modify packets and induce hosts within your network (which trust the spoofed address) into sending unauthorized connections, emails, or other communications to machines with which they would not normally interact.
