What is a DNS Poisoning Attack?

DNS Poisoning AttackA Domain Name System (DNS) poisoning attack, also called DNS spoofing, is when an attacker is able to redirect a victim to different website than the address that he types into his browser.  For example, a user types www.google.com into their browser, but instead of being directed to Google’s servers he is instead is sent to a fraudulent site that may look like Google’s site but is in actuality it is controlled by the attacker.   The attacker is able to do this by changing the Internet Protocol (IP) address that usually points to Google to the fake IP address of the attacker.

The Domain Name System is needed so that networked machines can communicate with each other.  Machines use a unique IP address to identify one another much the same way a street address is used to locate a business or home.  However, people like words such Google, Yahoo, or YouTube instead of a difficult to remember IP address, like 67.13.142.130, which is easier for a machine to understand.   Domain name servers are used to convert names to their corresponding IP address and vice versa.

The DNS system is a massive database with billions of domain names and IP addresses.  The system handles billions of requests everyday as people surf the internet, send email, a create new websites.  Even though the DNS system is distributed around the world, it acts like a single system.

An attack can happen by modifying the host tables that are stored on local computers.  The host table is list of domains and IP addresses that are used to find the correct IP address when a user enters a domain site name.  If the so-called host table name system does not have the correct IP address stored locally then it contacts an external DNS for the correct IP address. If an attacker is able to compromise the entries within the host table then they can direct websites names to any IP address they wish.

Another method of performing a DNS Poisoning Attack is to target the external DNS servers themselves.  External DNS servers exchange information, including name and IP mapping, with each other using zone transfers.  Attackers can set up a DNS server with fake IP address entries so that if the targeted DNS server accepts the zone transfer as authentic, it will then use and distribute the fake IP address assignments to other DNS servers.  One way to prevent a DNS poisoning attack is to ensure that the latest version of the DNS software, called Berkley Internet Name Domain (BIND), is installed.

This entry was posted on Sunday, August 22nd, 2010 at 10:20 pm and is filed under Attacks, Computer Security, TCP/IP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply