The Domain Name System (DNS) is the phone book of the internet. Without it, users and developers would have to enter or hardcode IP addresses to access internet resources. However, DNS was not developed with security in mind. Attackers use DNS vulnerabilities to steal information and gain financially. One of the most significant DNS attacks is DNS spoofing. Organizations must understand how DNS spoofing works and how to defend against it.
This article assumes readers know how DNS works. For a refresher or to learn the DNS process, view this videoOpens a new window .
A DNS Review
As shown in Figure 1, when a user or application wants to access an internet resource, it sends the resource’s domain name to DNS servers. Eventually, the requester receives the target IP address. This retrieval of the IP address associated with a domain name is called domain name resolution.
Figure 1
When the Forwarding Server receives the IP address from the Authoritative Server, it saves the information in its local DNS cache. The workstation also stores the IP address, for example.com in its local DNS cache.
If the workstation wants to access example.com in the future, it looks in its cache to see if it already knows the IP address. If it is not in the local cache, it sends the request to the Forwarding Server. The Forwarding Server then looks in its cache to see if the domain name/IP address pair is stored there. Â
Learn More: Top 9 Malicious Sites That Should Be Left Behind a DNS FirewallÂ
How DNS Spoofing Works
An attacker can insert herself into this process and assume a server’s role responding to the Forwarding Server or the workstation. Instead of providing the IP address of the internet resource wanted by the user, the attacker returns the IP address of a malicious internet location. The attacker location is often a web page that looks exactly like the authentic resource.
The purpose of these attacks is usually to steal users’ credentials and other personal information by having them authenticate to the malicious site using the credentials for the authentic site. The attacker can then request additional personal information from the user while impersonating the authentic internet resource.
Lan Wei and John Heidermann write in this research paperOpens a new window that an attacker can provide malicious IP addresses “by proxying, intercepting and modifying traffic; DNS injection…; or by modifying configurations in end hosts.â€
Proxying
Proxying is another name for a man-in-the-middle (MitM) attack. The attacker intercepts the request for a DNS name resolution and returns the attacker’s malicious internet resource’s IP address.
DNS Injection
There is some delay as the DNS tries to resolve the domain name. This delay provides an opportunity for an attacker to respond to the name resolution request before the authoritative server. In this research paperOpens a new window , Sparks et al. write that this attack is possible for any attacker that can monitor any of the name resolution process links and insert a response packet. This is also one of the ways governments censor what their citizens can access.
Modifying Workstation/Forwarder Configurations
The primary workstation configuration target is the DNS cache. As described above, the IP addresses for resolved domain names are stored in the local cache of the workstation and the Forwarding Server.  An example of Windows 10 DNS cache content is shown in Figure 2. Highlighted is the cache entry for a google.com name resolution.
Figure 2
Dan Goodin writesOpens a new window that a new side-channel attackOpens a new window uses the port number used in a DNS resolution request. Attackers could capture the port number, and they have a high probability of successfully guessing the DNS request transaction ID. Using the transaction ID, attackers can flood the system requesting domain name resolution with a high number of responses containing the attacker’s server’s IP address.
Another method to change workstation DNS name resolutions is to modify the hosts file, located on a Windows 10 system in C:WindowsSystem32driversetc. Linux also uses a hosts file. The hosts file holds static name resolutions. It is checked before the DNS cache. Administrators can change this file to speed up the resolution process. However, malware can also change this file.
Figure 3 shows the content of a Windows 10 hosts file. I added a static entry to the file that resolves google.com to an incorrect IP address. Consequently, the workstation on which this file resides would use this incorrect address instead of the correct address shown in Figure 2.
Figure 3
Learn More: Cost of Each DNS Attack Is in the Neighbourhood of $1 Million Globally: SurveyÂ
DNS Spoofing Defense
Setting up a defense for against the attack vectors in this article is not difficult.  First, make sure your browsers use DNS over HTTPS. Joel Cornell describes how to check this setting in Microsoft Edge hereOpens a new window and in Google Chrome hereOpens a new window . This is on by default in Chrome. The use of DNS over HTTPS also requires that the DNS server used is also set up to support it. Â
If an organization uses a DNS service like Cisco Umbrella, this is available by default. If not, the organization must configure its internal DNS to use DNS over HTTPS for internal and external traffic. Using HTTPS prevents attackers from seeing or injecting themselves in your DNS traffic.
Configuration change defense requires strong malware defense. Ensure only administrators have access to the hosts’ file and other DNS configuration options on both servers and workstations; remove local admin access from all day-to-day business accounts. Accounts with local admin access should have either two-factor authentication or use strong passwords (e.g., PH!bAj!CCwj4Mv.RBVmz) managed by a privileged account manager.
Conclusion
DNS is a critical part of today’s business computing environment. Although it was initially built without security in mind, we have options for securing against DNS spoofing via proxy, configuration changes, and injection. These options, including DNS over HTTPS and configuration security, help ensure the secure use of internet resources.
Do you think DNS over HTTPS can improve security? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!