DNS (Domain Name Service) Spoofing is a computer attack where the user is diverted to a fraudulent or malicious or fake website which looks like the real one with the aim of stealing the user data (user credential in most cases). This attack is known to have huge impact and it also known to sustain for a long time period without getting noticed.

The main job of Domain Name Servers’ are to resolve the URLs (eg: www.google.com) in to its respective IP addresses which has been used for location fetching and communication between every nodes populated across internet. Attackers manipulate the stored IP address in the DNS Server to perform DNS Spoof in the specific address. This process is enough to redirect a user towards the fraudulent website which is placed by the attacker in the spoofed DNS server whenever they try to access a certain website. Among many there are two DNS spoofing methods which are more popular and effective such are DNS ID Spoofing and DNS cache poisoning. Compromised DNS server will replace the local DNS Server where the compromised server contains the existing websites name but with his or her own IP addresses. This ensures that whenever the user tries to communicate with local DNS server it will redirect towards the compromised DNS server and the user will end up in the fraudulent website. In DNS ID spoofing attack the IP information and the packet ID user sends will be duplicated with false information with in it. The response ID will match the request ID and the user will accept the unexpected response with the information without suspecting it. The ID could be captured using a simple Man in the Middle (MITM) attack (Intercepting the user and DNS server to route malicious IP address).

DNSSec as DNS Spoofing Mitigation

As DNS is an non-encrypted protocol it makes the attacker to intercept the traffic for spoofing. Additionally, the IP addresses which are redirected by the DNS servers is not validated by DNS servers themselves.

An additional method of verification is included in DNS Sec protocol which is designed to secure the DNS. Alongside other DNS records an unique cryptographic signature is stored which is created by the DNS Sec protocol. To ensure the record is not tampered a record along with a cryptography name a record will be used which is later used by the DNS resolver to authenticate a response from DNS server.

Even though DNS Sec protects the user from DNS spoofing attacks it has few drawbacks as well. Those are,

Zone Enumeration — additional records in the resource are used by the DNS Sec for signature validation. In this case a record named NSEC has the capability to verify the non existence of a DNS zone and this could allow the attacker to walk through DNS zone which allows the attacker to fetch all the DNS records and this is known as zone enumeration vulnerability. Newer versions of NSEC, NSEC3 and NSEC5 has a partially solved solutions where it only publishes hash values of the host-name, encryption prevents from zone enumeration.

Deployment Complex — if DNS Sec is misconfigured servers could lose their security advantages and sometimes denies access to websites.

Associate Software Engineer at Virtusa