What is DNS Spoofing?
DNS Spoofing is a server hacking method which can be used for hack servers and through it someone can hack other computers which are connected to that server. According to Wikipedia,DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect IP address. This results in traffic being diverted to the attacker's computer.
This is an attacking method whereby a host with no authority is directing a Domain Name Server (DNS) and all of its requests. This basically means that an attacker could redirect all DNS requests, and thus all traffic, to his machine, manipulating it in a malicious way and possibly stealing data that passes across. This is one of the more dangerous attacks as it is very difficult to detect.
What is DNS?
Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses.This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses.
Information from all the domain name servers across the Internet are gathered together and housed at the Central Registry. Host companies and Internet Service Providers interact with the Central Registry on a regular schedule to get updated DNS information.
When you type in a web address, e.g., www.vteamneuron.blogspot.com, your Internet Service Provider views the DNS associated with the domain name, translates it into a machine friendly IP address (for example 172.217.12.33 is the IP for vteamneuron.blogspot.com) and directs your Internet connection to the correct website.
After you register a new domain name or when you update the DNS servers on your domain name, it usually takes about 12-36 hours for the domain name servers world-wide to be updated and able to access the information. This 36-hour period is referred to as propagation.
When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer
Cash poisoning attacks
DNS cache poisoning attacks usually incorporate elements of social engineering to manipulate victims into downloading malware. The servers and websites that attackers use to replace authentic IP addresses are set up to appear legitimate while they actually contain malware in disguise. Attackers’ use of social engineering along with the fact that domain names still appear normal can make it very difficult for users to detect cache poisoning attacks. As a result, victims willingly download malicious content that they believe to be valid and from trusted sources.
The way to prevent
Many cache poisoning attacks against DNS servers can be prevented by being less trusting of the information passed to them by other DNS servers, and ignoring any DNS records passed back which are not directly relevant to the query. IT teams should configure DNS servers to rely as little as possible on trust relationships with other DNS servers. Doing so will make it more difficult for attackers to use their own DNS servers to corrupt their targets’ servers. Beyond limiting trust relationships on the DNS, IT teams should ensure that they’re using the most recent version of DNS. Domain Name Systems that use BIND 9.5.0 or higher include features such as port randomization and cryptographically secure Transaction IDs, both of which help prevent cache poisoning attacks.DNS servers should be configured for followings
- Limit recursive queries.
- Store only data related to the requested domain.
- Restrict query responses to only provide information about the requested domain.
- Use cache poisoning prevention tools (eg: DNSSEC (Domain Name System Security Extension))
No comments:
Post a Comment