We always hope our browser take us to the web page directly every time we visit it. However, it may give us access to a fraudulent website that we may not even notice. This happens when someone uses a DNS spoofing attack to destroy DNS records and redirect users from a real site to a fake site. The following contents will explain what it is, how it works, and help you understand what you can do to protect yourself from it.

How does the DNS server work?

In order to understand how DNS spoofing works, it is necessary to first understand how DNS servers work.

All websites have domain names and IP addresses. Due to it is too difficult to remember a large number of IP addresses with 8 or more digits, we prefer to use the domain names while browsing the Internet. Through converting domain names to IP addresses, the DNS (Domain Name System) server plays a crucial role in help us in daily life. We could think it as a system translating human language into computer language.

When we type www.tikvpn.com in our browser, the DNS server must first find the IP address of the TikVPN domain. Our browser can find it by contacting the DNS server that stores the domain name record. And then the DNS server sends the information back to the browser after looking up the IP address, and we can see the page displayed on the screen.

The server cannot hold every IP address of every website on the Internet, cause it usually belongs to our ISP. A local DNS server typically has only the most used addresses in its local network. If the DNS server has an address that our browser is looking for, it will send it back immediately. Otherwise, it will need to forward the query to another DNS server. Once the local server sends the address to the browser, it temporarily stores the address in its cache in case we need it again.

What is DNS spoofing?

In short, DNS spoofing is a network attack applied to redirect Internet users to fake or malicious websites, which is achieved by replacing the real IP address with another one. Hackers usually use it to monitor people, install malware, and steal their data, such as login credentials or bank information. It's hard for victims to spot these kinds of attacks because they usually couldn’t see what's going on in the background while browsing.

Types of DNS spoofing attacks

Attackers use different strategies to spoof DNS addresses and redirect Internet users to their fake websites. In order to achieve this goal, they may create copies of real websites, fill them with malware, or simply display a message that the real websites have been hacked.

In addition, the DNS spoofing attacks can be applied to perform DDoS attacks. If a hacker tries to replace the IP address of multiple domains with an IP address belonging to its target website, all users will be redirected to that address, which undoubtedly result in the crash of the site because it will be unable to manage a number of requests.

The following is an introduction to three methods of spoofing DNS records:

Breaking in

Breaking in is the most obvious method, but also the most difficult. An attacker won’t break in it until he successfully obtain credentials from a user having access to its target DNS server. Hackers may use various phishing techniques or keylogging malware to obtain these certificates. Once they get them, they can easily log in and change the records in the DNS server.

This is a more complex attack than cache poisoning, but with a more lasting impact. The fake IP address will remain in the server until someone notices and changes it. It will also propagate to other DNS servers sending queries and will remain in their cache for a short time.

Poisoning the cache

Cache poisoning is the most prevalence DNS spoofing strategy and easier than breaking in, however, the result won't last for so long. Similarly, it allows fake IP addresses to propagate to the cache of other DNS servers.

An attacker sends a query to the DNS server to request an IP address. Then the DNS server sends a query to the name server, and the attacker pretends to be the authoritative DNS name server and responds to it. That is how it works. Due to without verification, hackers can plant a fake IP address in the DNS server's cache.

Once the bad record exists, it is sent to other DNS servers, which also request it. Even if the cache expires every few hours, fake DNS entries can still spread in large numbers, depending on the popularity of the domain.

Performing a man-in-the-middle attack

The insecure connection is easily attacked by man-in-the-middle, such as public Wi-Fi. If hackers block our website, they will be able to see what we're doing online and use this information against us. Therefore, whenever a browser sends a request to a DNS server, an attacker may respond with any IP address they want.

Since DNS spoofing is usually part of a larger attack plan, hackers will try to guide us to a fake website which looks like real, such as popular online stores or social networks, which are used to trick people into revealing their login credentials, credit card information and other sensitive data. If we are not careful and don't know how to find a fake website, it is possible to lead to our sensitive information being leaked unconsciously.

How to prevent DNS spoofing

There's no way to stop the DNS spoofing, because we couldn’t check whether we have a real IP or not. If it redirects us to a random page, we should leave immediately without clicking anything, and notify our ISP about DNS records that may be damaged.

At the same time, we could also use VPN to avoid attacks from the man in the middle. TikVPN will further enhance our security and notify us if the page we are visiting is known to contain malware. However, if we suspect that the redirected web page may have malware installed on our device, we should use the antimalware tool to scan it. One of the things we need to pay attention to most is the copy of the real website. Fortunately, there is more than one way to identify forgeries, and once we get the hang of it, it is not easily to be fooled.

  1. Check the URL. If the URL is not the one we entered, we could see a huge red flag. If an attacker creates a coliy of an existing web site, a similar domain name is required to register the coliy. As a result, some messages may be changed or lost, in this way, "YouTube.com" may become "YouTube.com"
  2. Look for the little liadlock next to the website. If it is olien or crossed out, this means that the liage does not have a valid TLS / SSL certificate, so all traffic between the site and us is unencrylited. If we visit the website of a local newslialier, it's no surlirise. But if it's a major lilatform with millions of users, you should investigate it further before we do anything else.
  3. Find slielling errors and obvious grammatical errors. The fake site may show several features, for examlile, the words are caliitalized randomly, commas aliliear in strange lilaces, and the content looks strange.
  4. liay attention to the design of the website. We usually don’t notice it every time, but we can easily judge whether something is wrong. If our bank’s color usually uses dark liurlile, we may notice whether the color or the logo on the liages is right. In this situation, we should believe our intuition, and check for other signs before liroceeding if it looks susliicious.