What Is DNS Spoofing?

DNS (Domain Name Service) spoofing is the process of poisoning entries on a DNS server to redirect a targeted user to a malicious website under attacker control. The DNS attack typically happens in a public Wi-Fi environment but can occur in any situation where the attacker can poison ARP (Address Resolution Protocol) tables and force targeted user devices into using the attacker-controlled machine as the server for a specific website. It’s the first step in a sophisticated phishing attack on public Wi-Fi, and it can also trick users into installing malware on their devices or divulge sensitive information.

Most attackers use premade tools to perform DNS spoofing. Some threat actors write their own tools, but it’s unnecessary for this type of attack. Any location with free public Wi-Fi is a primary target, but it could be performed in any location with connected devices. A home or business network could be vulnerable to this attack, but these locations usually have monitoring that would detect malicious activity. Public Wi-Fi is often misconfigured and poorly secured, giving a threat actor more opportunity to perform DNS spoofing. That is why it is recommended to always think about Wi-Fi security, whether that be at home or in public.

When the attacker finds a good public Wi-Fi, the basic steps in DNS poisoning are:

• Use arpspoof to trick a targeted user’s machine into pointing to the attacker’s machine when the user types a domain address into their browser. This step essentially poisons the resolution cache on the user’s computer.
• Issue another arpspoof command to trick the domain web server into thinking the client’s IP is the attacker’s machine IP.
• Create a HOST file entry pointing the attacker’s machine IP to the targeted website. This HOST entry is used when users request the domain name.
• Set up a phishing website with the same look and feel of the “real” website on a local malicious computer.
• Collect data from targeted victims on the network by tricking them into authenticating or entering their information into the spoofed website pages.

The “spoofing” term in the attack means that the threat actor is using a malicious site that resembles the official website a user knows. Since DNS is a critical part of Internet communication, poisoning entries give an attacker the perfect phishing scenario to collect sensitive data. The threat actor can collect passwords, banking information, credit card numbers, contact information, and geographic data.

Because the user thinks that the website is official, the attacker can successfully carry out a phishing campaign. The spoofed site has elements recognisable to the user, and ideally, without red flags to indicate the site is fake. Unintentional red flags could be present on a spoofed website, but users rarely notice them, which makes spoofing an effective way to steal private data.

Because users often fall victim to phishing in a DNS spoofing attack, it’s a threat to data privacy. The spoofed site depends on attacker goals. For example, if an attacker wants to steal banking information, the first step is to find a popular banking site, download the code and styling files, and upload it to the malicious machine used to hijack connections.

Individuals who use the legitimate site enter the banking domain into their browsers but open the malicious website instead. Most attackers test and verify that the spoofed site is well-made, but occasionally, a few minor errors give the spoofed site away. For example, the malicious website typically has no encryption certificate installed, so the connection is cleartext. An unencrypted connection is a clear red flag that the hosted site is not a banking website. Browsers alert users that a connection is not encrypted, but many users miss or ignore the warning and enter their username and password anyway.

After the user accesses the spoofed website, any information entered into the site, including password, social security number, and private contact details, is sent to the attacker. With enough stolen information, an attacker could open other accounts under the targeted victim’s name or authenticate into legitimate accounts to steal more information or money.

Any user that accesses the internet from public Wi-Fi is vulnerable to DNS spoofing. To protect from DNS spoofing, internet providers can use DNSSEC (DNS security). When a domain owner sets up DNS entries, DNSSEC adds a cryptographic signature to the entries required by resolvers before they accept DNS lookups as authentic.

Standard DNS is not encrypted, and it’s not programmed to ensure that changes and resolved lookups are from legitimate servers and users. DNSSEC adds a signature component to the process that verifies updates and ensures that DNS spoofing is blocked. DNSSEC has gained more popularity recently as DNS spoofing threatens to breach user data privacy across any public Wi-Fi.

DNS spoofing and DNS poisoning are similar, but they have distinguishable characteristics. They both trick users into divulging sensitive data, and they both could result in a targeted user installing malicious software. Both DNS spoofing and poisoning pose a risk to user data privacy and the security of a website connection as users communicate with servers on a public Wi-Fi.

Poisoning DNS cache changes entries on resolvers or DNS servers where IP addresses are stored. That means any user from any location on the Internet will be redirected to a malicious attacker-controlled site provided they use the poisoned DNS server’s entries. The poisoning could affect global users depending on the poisoned server.

DNS spoofing is a broader term that describes attacks on DNS records. Any attack that changes DNS entries and forces users to access an attacker-controlled site would be considered spoofing, including poisoning entries. Spoofing could lead to more direct attacks on a local network where an attacker can poison DNS records of vulnerable machines and steal data from business or private users.