DNS Poisoning is also known as DNS MITM , is an advanced form of Man in the Middle Attack .
In DNS Poisoning attack , when a client on the network tries to visit a website , we will redirect the traffic to our desired IP Address . This is done by ARP Cache Poisioning .
This technique is sometimes reffered to DNS Spoofing also .
Further taking an example of DNS Poisoning attack , all the traffic that is mean to be sent to www.example.com which has an IP address of A.A.A.A , will be sent to a fake www.example.com residing at an IP address of B.B.B.B
What is DNS ?
Domain Name Servers (DNS) are responsible for maintaining a Directory of Domain names and Translate them to Internet Protocol (IP) Addresses . This is important because the Domain names are easy for the humans to remember but the computers / Servers only understand IP’s . A computer will access the website based on IP Addresses.
How to DNS Poisoning Done ?
In DNS Poisoning attack , When a client on the network says it wants to access www.example.com , we will redirect the traffic to our fake copy of the same website , but at a different IP address i.e. our Kali Linux Machine which is running a ARP Poisoning Server.
For the DNS Poisoning to work we will need to route the packets of other computers through the Kali Linux machine . For this , run the following command on the Terminal .
echo “1” > /proc/sys/net/ipv4/ip_forward
Now we prepare for configuring the machine for DNS Poisoning Attack .
First edit the file : /usr/local/share/ettercap/etter.dns (for Backtrack 5 )
/usr/share/ettercap/etter.dns (for Kali Linux)
*.example.com A <your_attacker_machine_ip>
Use command ifconfig to find your machines IP .
ettercap -T -q -M arp:remote -P dns_spoof //
This is all an attacker needs to Sniff over your private traffic and do a DNS poisoning on your network and redirect the traffic from the legitimate website to the fake website .
How to Prevent DNS Poisoning on your Network ?
- Following are the tips to defend Against DNS Poisoning :
- Secure the Internal Infrastructure as this attack is only possible from the inside of the network .
- Use Intrusion Detection Systems (IDS) as they are capable to detecting ARP Poisoning .
- Use of DNSSEC , which is a new alternative of DNS , as it uses digitally signed DNS records .
DNS Poisoning is difficult to prevent due to its passive nature . Hence hard to detect and very important type of internal network based attack
Leave a Reply