DNS spoofing (DNS cache poisoning)

Domain name system (DNS) is the technology that translates domain names (e.g. doubleoctopus.com) to the IP address of the server it corresponds to. DNS is one of the most important infrastructural protocols of the internet and it is meant, among other purposes, to ease communications and relieve humans of the trouble of memorizing the IP address of every server they communicate with. When you type in the address of a domain in your browser, name resolution request is sent to a DNS server, which then looks up the domain name in its directory and returns the IP address of the corresponding server.

DNS spoofing is a type of attack in which a malicious actor intercepts DNS request and returns the address that leads to its own server instead of the real address. Hackers can use DNS spoofing to launch a man-in-the-middle attack and direct the victim to a bogus site that looks like the real one, or they can simply relay the traffic to the real website and silently steal the information.

Detecting and blocking DNS spoofing is an intricate process. There are several measures that can protect you from MitM attacks through DNS spoofing.

DNS spoofing requires the attacker to have access to your local network, so the first and most important measure is to setup a good perimeter security and prevent unauthorized access to your local network. If you’re using WiFi at your organization, you can setup WPA-enterprise security, which requires every connecting user to have a username and password instead of giving a global password for the entire network.

Another protection against DNS spoofing is the use of encrypted communications. Malicious actors can easily spoof unencrypted websites. But on HTTPS communications, it is very difficult, because even though malicious actors might stage a DNS spoofing attack on the website, they won’t be able to spoof the certificate, the digital document that verifies the encryption keys of the website. So a user who has been the target of DNS spoofing on an encrypted website will see a warning in their browser, telling them that the certificate of the website they’re visiting can’t be verified. That’s the telltale sign of a MiTM attack.

But as we’ll see in the next section, even HTTPS websites can become the target of MitM attacks.

Frequently Asked Questions
What is DHCP spoofing?

DHCP spoofing is when an attacker attempts to respond to DHCP requests and trying to list themselves (DNS spoofing) as the default gateway or DNS server, initiating a man in the middle attack

What is a DNS hijacking?

DNS hijacking is a malicious attack in which a hacker redirects queries to a domain name server (DNS), by overriding a computer’s TCP/IP settings.
Once the individual performed the DNS hijacking have control of the DNS, they can use it to direct traffic to different websites.