home | about

DNS spoofing
Complete

Summary

Premise

  • attacker can send forged DNS responses to a victim resolver faster than the real DNS server
  • MITM in the application layer

Attack

  • when victim makes a DNS request
  • respond with the same query ID but with a spoofed ip address

Attacker’s Goals

  • redirect victim’s traffic -> availability
  • phishing website, get victim’s data -> confidentiality
  • perform actions as the victim -> integrity

Defense

  • DNSSEC - authentication on DNS requests

Concept

Domain Name System(DNS)

  • maps human readable URLs to IP addresses
  • uses UDP
  • a 16-bit query ID(QID) is sent alongside the query, if the QID of the response doesn’t match, then the client rejects it
ClientDNSServergoogle.com,QID172.253.118.101,QID

the DNS is also a single point of failure for the network a DoS can target the DNS server to indirectly deny availability to another service

DNS spoofing

  • as long as QID is known
  • send a response with a spoofed IP address
  • routes the user to a malicious server