Question

1. Define DNS poisoning, DNS Spoofing and DNS hijacking.

2. Enable/Install webserver in your computer (such as IIS)

3. Choose a website name (such as www.cnn.com, etc.) and ping the website using command line

   tool. Note down the responses.

4. Change/poison the DNS configuration using hosts file for your recently installed web server to

   redirect the chosen website (you could do the same that we did in the class) and ping the website

   (such as cnn.com as noted in step 3 above) that is being redirected. Note down the responses.

5. What are the differences in responses of step 3 and step 4.

6. What advantages can be achieved by the attacks using this type of cyber-attacks (DNS poisoning)?

   Explain.

I need help with #4 for a Mac computer. Posted all the other questions for context.

Answer 1

DNS poisoning, DNS Spoofing and DNS hijacking

DNS poisoning :

DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones.One of the reasons DNS poisoning is so dangerous is because it can spread from DNS server to DNS server. In 2010, a DNS poisoning event resulted in the Great Firewall of China temporarily escaping China’s national borders, censoring the Internet in the USA until the problem was fixed.

DNS Cache Poisoning

A DNS cache can become poisoned if it contains an incorrect entry. For example, if an attacker gets control of a DNS server and changes some of the information on it — for example, they could say that google.com actually points to an IP address the attacker owns — that DNS server would tell its users to look for Google.com at the wrong address. The attacker’s address could contain some sort of malicious phishing website

DNS poisoning like this can also spread. For example, if various Internet service providers are getting their DNS information from the compromised server, the poisoned DNS entry will spread to the Internet service providers and be cached there. It will then spread to home routers and the DNS caches on computers as they look up the DNS entry, receive the incorrect response, and store it.

DNS Spoofing :

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. A Domain Name System server translates a human-readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. Normally if the server does not know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time. This means if it receives another request for the same translation, it can reply without needing to ask any other servers, until that cache expires.

DNS Hijacking :

Domain Name Server (DNS) hijacking, also named DNS redirection, is a type of DNS attack in which DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites. To perform the attack, perpetrators either install malware on user computers, take over routers, or intercept or hack DNS communication.

DNS hijacking can be used for pharming (in this context, attackers typically display unwanted ads to generate revenue) or for phishing (displaying fake versions of sites users access and stealing data or credentials).

Many Internet Service Providers (ISPs) also use a type of DNS hijacking, to take over a user’s DNS requests, collect statistics and return ads when users access an unknown domain. Some governments use DNS hijacking for censorship, redirecting users to government-authorized sites.

DNS hijacking attack types

There are four basic types of DNS redirection:

· Local DNS hijack — attackers install Trojan malware on a user’s computer, and change the local DNS settings to redirect the user to malicious sites.

· Router DNS hijack — many routers have default passwords or firmware vulnerabilities. Attackers can take over a router and overwrite DNS settings, affecting all users connected to that router.

· Man in the middle DNS attacks — attackers intercept communication between a user and a DNS server, and provide different destination IP addresses pointing to malicious sites.

· Rogue DNS Server — attackers can hack a DNS server, and change DNS records to redirect DNS requests to malicious sites.