Name resolution on the internet can be manipulated in different ways. One form of attack is DNS spoofing , with which IP addresses are spoofed. We tell you exactly how it happens, what its objective is, what variants exist and how you can protect yourself..
The Domain Name System (DNS) is a system established throughout the world to correlate Internet domains with their corresponding IP addresses . DNS returns the IP address linked to the domain name, a process known as name resolution.
For name resolution to work, the IP address of a DNS server must be registered on the device. The device directs its DNS request to this server, which performs name resolution and responds. If no DNS server is configured on the device, the one on the local router is used automatically..
The general concept of spoofing means? Tease? or? forgery ?. The DNS spoofing refers to the different situations in which the DNS name resolution is handled . More specifically, what happens is that the IP address belonging to a domain is spoofed. Thus, the device establishes a connection with the spoofed IP address and diverts the data traffic to a fake server. Let's see an example:
Because name resolution takes place in the background, the victim is often unaware of the tampering. One of the most dangerous features of DNS spoofing is that the browser displays the correct domain .
The term DNS spoofing describes a variety of attack scenarios . The following outline explains the principles of DNS spoofing ..
The main purpose of DNS spoofing is to carry out attacks that generally aim to collect sensitive user data . However, legitimate companies also partially resort to DNS spoofing . It is well known that some Internet Service Providers (ISPs) use this method for censorship and commercial purposes.
Cybercriminals use DNS spoofing for phishing and pharming attacks. The main objective is to obtain the user's sensitive data. In DNS spoofing , the victim is made to believe that they have reached a legitimate domain and, using their trust in the spoofed domain, malicious software is transmitted to them. The person unintentionally installs this malware on the computer and infects their own system with it.
Most of the people use, without being aware of it, a DNS server of their Internet provider that is usually pre-installed on the local router. In this way, any DNS query is subject to control by the internet provider.
ISPs can deliberately manipulate your DNS tables to enforce state censorship . In this way, in many countries, user access to pornography or file-sharing domains is frustrated. If the user tries to access one of these blocked domains, they are redirected to a warning page. However, these blocks can easily be bypassed by using an uncensored DNS server.
This same trick of diverting user access to a certain domain and taking it to another page is also used to collect user data for commercial purposes . Thus, Internet providers use DNS hijacking to divert a user looking for a non-existent domain or misspelling it to a certain page. Such a page displays advertising, for example, or creates a user profile that sells for profit.
DNS is a fundamental technology on the Internet: in all connection establishments, name resolution is used. For this reason, DNS spoofing can affect each and every client connection . It doesn't matter if the victim accesses a web page or sends an email: if the IP address of the affected server has been tampered with, the attacker can access the data.
These are the risks of DNS spoofing :
A concrete example : in the context of the COVID-19 pandemic, a wave of DNS spoofing attacks occurred in the spring of 2020. They consisted of router hijacking attacks , in which a malicious IP address was registered for the DNS server on routers with insecure administrator access. The victim received an alleged notice from the World Health Organization inviting him to immediately install an information application on COVID-19. In reality, the software was a Trojan. If installed by a gullible person, the Trojan searched their local system and tried to capture sensitive data in order to create a complete profile and use it in other spear phishing attacks against the victim. The stolen data included the following:
The next three attack variants refer to the scheme (AC) presented at the beginning.
In this variant of DNS spoofing attack , the local device or router is maliciously manipulated . In principle, for the victim, everything is apparently normal: the device connects without problem to the DNS server. However, malicious IP addresses are returned to the requested hostname .
The threat of these attacks persists until anti-tampering measures are taken. The cybercriminal needs an attack vector to carry out the intrusion, which can be a technical aspect, an open administrator access or a weak password. The attacker can also convince you through social engineering to make the change yourself without perceiving the threat.
In local hijack , another known form of DNS spoofing attack , the IP address of the DNS server is configured with a malicious value in the network settings of the local device.
The victim can easily notice the alteration and correct it. The problem is that manipulation is often combined with malware that re-falsifies the victim's corrected data.
Use the online tool WhoismyDNS to check if you have been a victim of this type of DNS spoofing attack .
Most operating systems use the so-called hosts file to enable the resolution of names of certain domains on the local system. If a malicious entry is placed in this file, the data traffic is diverted to a server that is in the attacker's hands.
The tampering has no expiration date, although a computer-savvy victim can easily spot it. A simple modification of the hosts file is enough to solve the problem.
The default IP address of a DNS server of the Internet provider is configured on the local router. During a hijack attack on the router, it is replaced by a malicious value. The attack threatens all data traffic passing through the router . As in any home or office it is common for several devices to use the router to connect, the victims of this attack can be several.
Many users forget that they can configure the router themselves, so this attack tends to remain hidden for a long time . If problems appear, victims generally blame the device itself and not the router. Therefore, you should also think of the router as a source of error when rare failures occur.
Use F-Secure Router Checker to check if you have been a victim of this type of DNS spoofing attack .
This variant of DNS spoofing consists of a man-in-the-middle attack . The attacker impersonates the victim's DNS server and issues a malicious response. The attack works because DNS traffic relies on the unencrypted User Datagram Protocol (UPD ). For the victim, the authenticity of DNS responses cannot be guaranteed.
Other forms of attack, such as ARP spoofing and MAC spoofing, can be used as a gateway to the local network. The application of encryption technologies protects against many man-in-the-middle attacks .
This form of attack DNS spoofing is directed against a legitimate DNS server and, therefore, can affect many users. This is a high-level attack, because many security mechanisms typically have to be overcome to crack the server.
DNS servers are hierarchically arranged and communicate with each other. A cybercriminal can use IP spoofing to impersonate one of them. In this case, the attacker convinces the server to accept a fake IP address for a domain, and the server caches the malicious entry : thus, the cache is "poisoned".
Once the cache is poisoned, each request made to the server responds to the victim with a malicious entry. The threat remains active until the entry is removed from the cache. As a server protection mechanism, there is the DNSSEC extension, with which the security of the communication processes of the servers within the DNS can be guaranteed.
Use the IONOS domain protection service to protect your domain from tampering.
This form of threat, known as rogue hijack , represents a fairly complex attack on DNS. With it, the attacker takes control of a legitimate DNS server. Once compromised, even the latest DNS ciphers don't protect it . However, by encrypting the content, the victim can at least become aware of the attack.
As we have seen, DNS spoofing poses a serious danger. Fortunately, there are a number of simple measures that offer effective protection against DNS spoofing .
Typically, encryption methods offer two main benefits:
The second point is an especially critical factor in the fight against DNS spoofing : if the attacker impersonates a legitimate host , this generates a certificate error on the user's page. In this way, the attempted fraud is exposed.
For a basic level of protection , the security of as many connections as possible should be ensured by the usual methods of transport encryption. Preferably, you should go to web pages over HTTPS . The famous HTTPS Everywhere browser plug-in allows you to connect securely to web pages that deliver content over both HTTP and HTTPS. Also, you should use configured connections (IMAP, POP3 and SMTP) and secure protocols such as TLS and SSL in your email programs.
If your connections are protected by transport encryption, you will at least be aware of DNS spoofing attacks : since the malicious host does not have the security certificate of the real host , the browser and the email program warn when the connection is established . This way, you have the opportunity to interrupt the connection and take other security measures.
Transport encryption protects the transmission of data, but does not solve the vulnerability of the connection with the DNS server, so that it becomes the weakest link in the chain. However, the user can take steps to encrypt DNS queries . Some noteworthy ones are especially DNSCrypt, DNS over HTTPS (DoH) and DNS over TLS (DoT). All of these technologies protect from dangerous man-in-the-middle attacks, although none of them are built into the most popular operating systems. Also, the DNS server must support the corresponding technology to access DNS encryption.
In addition to encrypting the transport and protecting the connection to the DNS server, a virtual private network (VPN) can be used to increase protection against DNS spoofing . By using a VPN, all connections are conducted through an encrypted tunnel. It is important to mention that in most VPN programs it is possible to store the IP address of a DNS server. This way, if it is a malicious address, the VPN will not offer any protection against DNS spoofing.
In case you don't want to waste a lot of time choosing a VPN provider, you can use Cloudflare's free WARP app, which offers VPN functionality and DNS encryption through Cloudfare's 1.1.1.1 Public DNS resolver. You will find more information about it in the next section. In this application, increased security is accompanied by an intuitive user interface. At the moment, it is only available for mobile devices, but in the future it will also have the desktop version for Windows and Mac.
One of the most effective protection measures against DNS spoofing is to use a public DNS resolver. Installing it is so simple that practically any user can configure it on their device. To do this, you just have to change the DNS server registered in your system. As an example, we can name the Quad9 network, made available by the non-profit organization of the same name.
Using a public DNS service offers the following benefits:
The following table summarizes the most popular public DNS networks. All these services are redundantly configured using two IP addresses, so that if the first of the two servers is not found, the second is used. Some networks offer other IP addresses on which additional functions can be activated, such as child protection.
Filtering contents
Data Protection
Name server IP addresses
Quad9
Malicious domain filtering
No user data registration
9.9.9.9 and 149.112.112.112
Cloudflare DNS Family
Malicious domain filtering and child protection
1.1.1.3 and 1.0.0.3
Cloudflare DNS
No filtering
1.1.1.1 and 1.0.0.1
DNS.watch
84.200.69.80 and 84.200.70.40
The DNS spoofing poses a serious threat. Using encryption technologies in combination with a public DNS resolution network protects us greatly against this type of attack.
