DNS stands for “domain name system” and it can be described as the index for the internet. It allows users to access information by translating a domain name (like kaspersky.com) into the corresponding IP address that a browser needs to load internet resources (for example, articles like this one). As a system, the DNS is used to track, catalog, and regulate websites all over the world.
In order to get a more detailed picture of what the DNS is, we need to take a look at how the DNS works. However, it’s important to first clarify the terms involved with this topic:
An Internet Protocol (IP) address is the number assigned to each unique computer and server. These IDs are what computers use to locate and “talk” to each other.
A domain (or domain name) is a text name that humans use to remember, identify, and connect to specific websites and their servers. For example, a domain like “www.kaspersky.com” is used as an easy way to understand the actual target server ID — i.e., an IP address.
Domain name system servers (DNS servers or DNS nameservers) are a collective of four server types that compose the “DNS lookup” process. They include the resolving name server, root name servers, top-level domain (TLD) name servers, and authoritative name servers. To get a better understanding, let’s detail the specifics of each of these servers:
- Resolving name server (or recursive resolver) is the translating component of the DNS lookup process. It is designed to receive queries from the client (via a web browser or app) and then communicate these queries to a series of web servers (listed below) to find the target IP address of a domain name. It can respond with previously cached data or send the query to a root nameserver. The resolving name service is in constant communication with the below servers during a lookup process.
- Root name server (root server) is where all DNS lookups start. If you imagine the DNS like a hierarchy, the “root zone” would be at the top. A root server is a DNS nameserver that operates in the root zone. It often serves as a reference point in the process of a lookup.
- Top-level domain (TLD) name server is located one level below the root zone. The next phase in the lookup, contains information for all domain names that contain a common “domain extension” i.e. .com, .net etc.
- Authoritative name server is the final part of the lookup, and contains information specific to the domain name searched for. It can provide the resolving name server with the correct IP address.
Now that we’ve established the DNS definition and a general understanding of the DNS and its servers, we can explore exactly how it works.
How does DNS work?
When you search for a website via a domain name on your browser, you begin a process called “lookup.” The whole lookup journey has 6 stages:
- Your web browser and operating system (OS) attempt to recall the IP address attached to the domain name. If visited previously, the IP address can be recalled from the computer’s internal storage or the memory cache.
- The process continues if neither component knows where the destination IP address is.
- The OS queries the resolving name server for the IP address. This query starts the search through the domain name system server chain to find the matching IP for the domain.
- The query first arrives at the root name server, which directs the query onto the TLD server (via the resolver).
- The TLD server then passes your query on, or points it, to the authoritative name server (again, via the resolver).
- Ultimately, the resolver, through communication with the authoritative name server will find and deliver the IP address to the OS, which passes it back to the web browser, giving you the website or page that you requested.
The DNS lookup process is the vital framework used by the entire internet. Unfortunately, criminals can abuse vulnerabilities in DNS, meaning you’ll need to be aware of possible scams via redirects, often referred to as “spoofing” and “poisoning.” To help you avoid these threats, let’s explain what DNS spoofing and DNS poisoning are and how they work.
DNS spoofing and poisoning definition
Domain Name System (DNS) poisoning and spoofing are types of cyberattack that exploit DNS server vulnerabilities to divert traffic away from legitimate servers towards fake ones. Once you’ve traveled to a fraudulent page, you may be puzzled as to how to resolve it — despite being the only one who can. You’ll need to know exactly how it works to protect yourself.
DNS spoofing and, by extension, DNS cache poisoning are among the more deceptive cyberthreats. Without understanding how the internet connects you to websites, you may be deceived into thinking the website itself is hacked. In some cases, it may just be your device. Even worse, cybersecurity suites can only stop some of the DNS spoofing-related threats.
How DNS cache poisoning and spoofing works
In regard to DNS, the most prominent threats are two-fold:
- DNS spoofing is the resulting threat which mimics legitimate server destinations to redirect a domain’s traffic. Unsuspecting victims end up on malicious websites, which is the goal that results from various methods of DNS spoofing attacks.
- DNS cache poisoning is a user-end method of DNS spoofing, in which your system logs the fraudulent IP address in your local memory cache. This leads the DNS to recall the bad site specifically for you, even if the issue gets resolved or never existed on the server-end.
Methods for DNS spoofing or cache poisoning attacks
Among the various methods for DNS spoof attacks, these are some of the more common:
Man-in-the-middle duping: Where an attacker steps between your web browser and the DNS server. A tool is used for simultaneous cache poisoning on your local device and server poisoning on the DNS server. The result is a redirect to a malicious site hosted on the attacker’s own local server.
DNS server hijacks: The criminal directly reconfigures the server to direct all requesting users to the malicious website. Once a fraudulent DNS entry is injected onto the DNS server, any IP request for the spoofed domain will result in the fake site.
DNS cache poisoning via spam: The code for DNS cache poisoning is often found in URLs sent via spam emails. These emails attempt to frighten users into clicking on the supplied URL, which in turn infects their computer. Banner ads and images — both in emails and on untrustworthy websites — can also direct users to this code. Once poisoned, your computer will take you to fake websites that are spoofed to look like the real thing. This is where the true threats are introduced to your devices.
Risks of DNS poisoning and spoofing
Here are some common risks of DNS poisoning and spoofing:
- Data theft
- Malware infection
- Halted security updates
- Censorship
DNS spoofing poses several risks, each putting your devices and personal data in harm’s way.
Data theft can be particularly lucrative for DNS spoof attackers. Banking websites and popular online retailers are easily hit, meaning any password, credit card, or personal information may be compromised. The redirects would be to phishing websites designed to collect your information.
Malware infection is yet another common threat with DNS spoofing. With a spoof redirecting you, the destination could end up being a site infested with malicious downloads. Drive by downloads are an easy way to automate the infection of your system. Ultimately, if you’re not using internet security, you’re exposed to risks like spyware, keyloggers, or worms.
Halted security updates can result from a DNS spoof. If spoofed sites include internet security providers, legitimate security updates will not be performed. As a result, your computer may be exposed to additional threats such as viruses or Trojans.
Censorship is a risk that is actually commonplace in some parts of the world. For example, China uses modifications to the DNS to ensure all websites viewed within the country are approved. This nation-level block, dubbed the “Great Firewall”, is one example of how powerful DNS spoofing can be.
Specifically, eliminating DNS cache poisoning is difficult. Since cleaning an infected server does not rid a desktop or mobile device of the problem, the device will return to the spoofed site. Furthermore, clean desktops connecting to an infected server will be compromised again.
How to prevent DNS cache poisoning and spoofing
When looking to prevent DNS spoofing, user-end protections are limited. Website owners and server providers are a bit more empowered to protect themselves and their users. To appropriately keep everyone safe, both parties must try to avoid spoofs.
Here's how to prevent these attacks for website owners and DNS service providers:
- DNS spoofing detection tools
- Domain name system security extensions
- End-to-end encryption
Here’s how to prevent these threats for endpoint users:
- Never click on a link you don’t recognize
- Regularly scan your computer for malware
- Flush your DNS cache to solve poisoning
- Use a Virtual Private Network (VPN)
Prevention tips for website owners and DNS server providers
As a website owner or DNS server provider, the responsibility to defend users is firmly in your hands. You can implement various protective tools and protocols to keep threats out. Among these resources, you would be wise to use some of the following:
- DNS spoofing detection tools: As an equivalent of endpoint user security products, these detection tools proactively scan all data received before sending it out.
- Domain name system security extensions (DNSSEC): Essentially a DNS “verified real” label, the DNSSEC system helps keep a DNS lookup authentic and spoof-free.
- End-to-end encryption: Encrypted data, sent for DNS requests and replies, keeps criminals out as they won’t be able to duplicate the unique security certificate for the legitimate website.
Prevention tips for users
Users are particularly vulnerable to these kinds of threats. To avoid being a victim of a DNS poisoning attack, you should follow these simple tips:
- Never click on a link you don't recognize. This includes email, text messages, or links in social media. Tools that shorten URLs can further mask link destinations, so avoid those as much as possible. To be especially safe, always opt to manually enter a URL into your address bar. But only do so after you’ve confirmed that it is official and legitimate.
- Regularly scan your computer for malware. While you may not be able to detect DNS cache poisoning, your security software will help you uncover and remove any resulting infections. Since spoofed sites can deliver all types of malicious programs, you should always be scanning for viruses, spyware, and other hidden issues (the inverse is also possible, as malware could deliver spoofs). Always do so using a local program rather than a hosted version since poisoning could spoof web-based results.
- Flush your DNS cache to solve poisoning if necessary. Cache poisoning stays within your system for the long-term unless you clean out the infected data. This process can be as simple as opening the Windows “Run” program and typing “ ipconfig /flushdns” as your command. Mac, iOS, and Android also have flush options. These are usually found in a “network settings reset” option, toggling airplane mode, via device reboot, or in a specific native web browser URL. Look up your specific device’s method for guidance.
- Use a virtual private network (VPN). These services give you an encrypted tunnel for all your web traffic and the use of private DNS servers that exclusively use end-to-end encrypted requests. The result gives you servers that are far more resilient against DNS spoofing, and requests that can’t be interrupted.
Don’t leave yourself vulnerable to DNS spoofing and malware attacks. Protect yourself today with Kaspersky Home Security Products.
Related articles and links:
- What is Spoofing?
- What is Pharming & how to protect yourself?
- What is an IP address & what does it mean?
- Types of malware and malware examples
Related Products: