DNS Spoofing Attacks
DNS Spoofing, or DNS Poisoning attacks, are Man-In-The-Middle attacks in which a hacker is able to get inside a local network and insert himself into the middle of the connection between a target IP and the local router. He then is able to redirect traffic from a particular domain and redirect it to a fake website he has hosted while it appears to the target as the actual website itself.
Several well-known attacks over the past decade have been conducted against major companies through DNS Cache Poisoning.
What Is DNS?
DNS, or Domain Name Server, allows us to communicate with servers or websites without the need to remember IP addresses. DNS servers match a web domain name with an associated IP. For example, going to https://8.8.8.8 redirects us to https://dns.google. Typing in either of the two will send us to the same place. In general, it is far easier for us to remember domain names rather than IP addresses and this is why DNS records exist.
Within the DNS framework there exists a hierarchy of domains. We have the Root Domain, Top-Level Domain, Second Level Domain, and the subdomain.
The Root Domain is the highest level in the hierarchy. It consists of name servers that answer the request for a domain and contain the global list of Top Level Domains. Known as Root Zone Servers, they consist of 13 servers accepted by ICANN to resolve all domains to their appropriate IP addresses.
The Top Level Domain is the the part of the domain after the far right period, for example website**.com**.
There are two types of TLD’s, gTLD (generic) and ccTLD (country code). In the past, the gTLD was meant to indicate the purpose of the domain’s existence. For example, .gov would indicate a government-run website, .com a commerical one, .edu as a a site for an educational service, and so on. However, there are so many TLD’s in existence today that the functions are now blurred.
The Second Level Domain is the name before the TLD like ‘.com’. Each one must be unique and has a maximum length of 63 characters. It can only use alphanumeric characters and hyphens.
A subdomain is what you see before the Second Level Domain, such as ‘www’. Other names such as ‘admin’, ‘login’, or ‘users’ may also go before the domain name. It has the same regulations as the Second Level Domain names. However, multiple subdomains can exist within one address, for example, ‘customers.admin.carsales.com’.
The total length of the entire domain name must be no more than 253 characters.
DNS also consists of different types of records such as A Records, AAAA Records, CNAME Record, MX Record, and TXT Records.
The A records resolve to IPv4 addresses like 8.8.8.8.
The AAAA records resolve to IPv6 addresses.
CNAME records resolve to another domain name. For example ‘store.urbanbikes.com’ could point to shops.shopify.com meaning that another request would need to go to shops.shopify.com in order to obtain the correct IP address of ‘store.urbanbikes.com’.
MX records resolve to email servers for your domain.
TXT records are simply free text fields in which any text data may be stored. The can be used for multiple purposes, such as listing servers that can send emails on behalf of the domain. They can also be useful to confirm ownership of a domain.
How Does DNS Work?
The first thing that happens when you type in a domain name is that your browser will look through your local DNS cache on your OS to see if there is already an IP associated with your domain. If there are no records, then a request to a Recursive DNS Server will be made. A Recursive DNS Server is more local to you and can either be provided for by your Internet Service Provider, or another server of your choosing. This server will also have its own cache to check. If a record for your domain is in their cache, then it is returned to you and you can make a connection with the domain. If there is no record, then the search goes up one more level to one of the Root DNS Servers. Once it is found, you are then redirected to the TLD Server containing the records for the TLD domain, such as ‘.com’, you are looking for.
The information of the nameserver, or nameservers, of the domain you need is contained within the TLD Domain Server. This is called the Authoritative Server. It stores the records for the particular domain name you are searching for. The records are sent back to the local Recursive server to store and maintain in its own cache. Then that information is passed on to you to be stored in the local browser cache. Once you receive the data, you can then make a connection to the server of the domain you are looking for and enter it.
All DNS records contain a TTL (Time To Live) value stored in seconds. Once the TTL expires, you must again make a DNS request to connect back to the domain.
How Can DNS Be Attacked?
Now that we know how DNS works we must now consider what attackers can do to take advantage of it. Typical DNS attacks include DOS attacks, DNS Tunneling, DNS Hijacking, and DNS Spoofing attacks. In this article we will discuss DNS Spoofing attacks and how you can easily conduct one on your local network.
DNS Spoofing attacks are attacks in which the attacker poisons, or changes, the local DNS cache record of a domain on a target to point to an IP he chooses. He returns to the target a false website he has hosted on it that appears to the target as the actual web page of the domain. It can be done either using malware or network attacks in which the attacker is able to place himself in middle of the connection between the target and then inserts false DNS records into the local cache. Once the target accesses the false page hosted by the attacker the attacker can then collect such information as emails or login credentials. Following on the attacker can then conduct phishing attacks or attempt logins.
In order to conduct these attacks the attacker must be able to get in the middle of the connection between the target and the default gateway, similar to an ARP Spoofing, in order to capture the data packets travelling between the target and the router.
Conducting a DNS Spoofing Attack In a Local Network
Similar to an ARP Spoofing attack, to conduct this attack we must find a way to place ourselves in the connection between our target and the local router. All that is required is Ettercap and a local server setup to host your false website. If you have a virtual machine running or even another computer you wish to try this on as your target IP then go ahead and do so. If you have neither you can try this on your own computer.
If you do not have Ettercap setup on your machine, you can refer to my previous article on how to set it up. Once installed you can then begin as follows.
We first need to make some changes to our Ettercap configuration files.
Make sure your /etc/ettercap/etter.conf file has ‘ec_uid’ and ‘ec_gid’ are set to 0.
Then scroll further down and uncomment the lines below. If you are running this from Mac or BSD, then uncomment under the appropriate heading instead of Linux as you see below. Uncommenting these lines will redirect SSL connections to HTTP if possible.
If you find that Ettercap does not work when trying to find hosts, try uncommenting the other two lines below for IPv6 as well. I had to do this myself in order to get this to work.
Now let’s pick a domain to try this attack with and have that domain point to our server. We will choose google.com.
Open up /etc/ettercap/etter.dns in your editor and at the bottom of the page we will enter a false DNS name record for google.com which will point to our IP like I have done below. In my case, my IP is 192.168.0.16.
Now we need to setup a fake website and run a server to host that page.
You can create any page you want however, I made a simple one line html page.
Once our page is created we must now setup our server. We can just run an Apache2 server using either ‘systemctl start apache2’ or ‘service apache2 start’.
Now that we have a server setup to host our fake website we can now conduct our attack.
Open up Ettercap by typing in ‘sudo ettercap -G’. Before we begin DNS Spoofing, we must first ARP Spoof our target and have our MAC appear as the MAC address of the local gateway so that traffic between the target and the gateway flows through our machine. So as to not repeat myself twice, please refer to my article on ARP Spoofing which shows you how to setup an ARP Spoof attack. Once you have begun the ARP Spoof attack make sure your target is compromised by checking the arp cache on your target using ‘arp -a’. Here is an example from my target machine once begun:
As you can see, the MAC address of the router was successfully changed from the actual MAC address of the router to our MAC address.
Now we can begin our DNS Spoofing attack. In Ettercap, go to Manage Plugins and click it. Then on the screen double click the DNS Spoof plugin to begin the attack. See my screenshot below and check your bottom panel to make sure it looks like mine after you have started.
And now on the target machine, enter ‘google.com’. You should now see your hosted web page. If it does not work, try clearing your local browser cache and try again.
Our attack has been successful.
Prevention
To begin with, you, as a regular user, can help by doing the following:
Making sure your Anti-Virus applications are up-to-date.
Being careful about the files you download. If you believe the file may be malicious, you can send it to virustotal.com before opening it.
Double check websites you visit and make sure they run on the HTTPS protocol.
Flush often your own browser caches and, if possible, the router cache as well.
Changing your own passwords from time to time.
If you are running a network server here is what you can do:
Install tools such as XArp, Snort, or ArpON to snuff out any potential ARP Spoofing attacks.
Make sure communications, especially involving sensitive data, are encrypted and sent through more secure protocols such as SSH, TLS, or HTTPS.
Setup a VPN to encrypt data.
Setup access control lists to prevent unwanted IPs from gaining access to your network.
Last updated