DNS spoofing: what it is, why it is used, and how to avoid it
Posted on May 30, 2018 By Dennis
DNS spoofing corrupts the domain name system, diverting internet traffic away from its intended destination. DNS spoofing is used to censor the internet, redirect end users to malicious websites, and carry out DDoS attacks on web servers.
DNS spoofing is also known as:
- DNS tampering
- DNS cache poisoning
- DNS hijacking
- DNS redirection
In this article, we’ll explain how the domain name system works, what DNS spoofing is, how DNS spoofing is used, and how to avoid it.
What is DNS?
DNS stands for Domain Name System. Think of it as a sort of phone book for the web. Whenever you click a link or type a website URL into your web browser, a DNS request is sent to a nameserver. The nameserver checks its DNS resolver cache to “resolve” the URL into the IP address of the server where the website is hosted. This is analogous to looking up someone’s name in the phone book to learn their phone number.
Just like each person in the phone book has a unique phone number, each website has one or more unique IP addresses. Once your browser knows the IP address of the website, it can download web pages from it to appear in your browser.
In most cases, this resolution process completes in a matter of seconds, or even milliseconds, so you may not even realize it’s happening as you browse the web.
By default, your web browser probably uses a nameserver provided by your Internet Service Provider (ISP). Most devices enable you to specify your preferred nameserver in the internet connection settings. This way, users may opt to use a public or private DNS server. Google DNS is a popular public DNS server.
What is DNS spoofing?
DNS spoofing occurs when someone—usually a hacker—alters the entries in a nameserver’s DNS resolver cache. This is akin to changing someone’s phone number in the phone book. For example, if someone changed the entry for “Privacy.net,” any of our readers using that nameserver would be diverted to whatever IP address the hacker specified.
There are a number of reasons why a hacker or other entity might do this:
- Launch an attack. By changing the IP address for a popular domain like Google.com, for example, a hacker could divert a large amount of traffic to a server incapable of handling so much traffic. This can cause the server to slow down, stop, and encounter numerous errors. Such a “denial-of-service” attack can shut down a website or game server, for example.
- Redirection. A corrupted DNS entry can redirect users to websites they do not intend to visit. A hacker might use this to send victims to a phishing site. Phishing sites often look identical to the real website but are operated by a hacker, tricking the user into entering private information such as their username and password. ISPs sometimes use DNS redirection to serve advertisements and collect user browsing data.
- Censorship. Browsing the web is nearly impossible without DNS, so whoever controls the DNS server controls who sees what on the web. Government-controlled ISPs in China, for instance, use DNS tampering as part of their nationwide censorship system, known as the Great Firewall, to block websites from public view.
DNS spoofing occurs in one of two ways:
- Tampering with an existing DNS nameserver’s resolver cache, or
- Creating a malicious DNS nameserver and spreading malware that makes routers and end user devices use it
Tampering with a nameserver’s DNS resolver cache can be done either intentionally by the administrator, such as an ISP that wants to serve ads or censor content, or by a hacker.
DNS changer malware
Hackers can either attack the nameserver itself or end user devices. Tampering with an existing DNS server affects more people, but due to high levels of security that typically guard nameservers, is more difficult to pull off.
Instead, hackers often set up their own malicious DNS nameservers rather than breaching an existing one. They then use any number of methods to distribute DNS changer malware to end user devices—computers and smartphones—and wifi routers. DNS changer malware covertly alters a device’s internet settings to point DNS requests to a malicious nameserver. They can then redirect victims who request legitimate websites to phishing and malware-infected sites.
Besides end user devices, hackers may target wifi routers with DNS changer malware. A router can override the DNS settings specified in a computer or smartphone. This is particularly a threat when connected to open and public wifi hotspots.
How to protect yourself against DNS spoofing
Detecting whether your DNS server has been tampered with or you’ve been infected with DNS changer malware can be difficult. Most of us don’t routinely check our DNS settings, and it may well be that only a few DNS entries have been poisoned. You might encounter more ads or involuntary redirection, but there may be no clear symptoms at all.
That said, here are a few precautions you can and should take to protect yourself from DNS spoofing:
Always check for HTTPS
If DNS spoofing has led you to a malicious website, it will likely look identical or nearly identical to the genuine site you intended to visit. The difference is that the imposter won’t have a valid SSL certificate for the domain, which means you won’t see “https” or a closed padlock in your browser’s URL bar. The padlock indicates that your connection to the site is encrypted and verifies the server owner is who it says it is.
Note that not all websites use HTTPS, so this is not a foolproof method. You can install the HTTPS Everywhere browser extension to force your browser to always load the HTTPS version of a website when available.
If you come across a site with HTTPS but it’s indicated in red or crossed out, then the SSL certificate is not valid and you should leave the site immediately.
Due to the well-documented security weaknesses in DNS, a few vendors have stepped up to provide improved DNS security.
DNSCrypt is perhaps the most popular of these for end users. DNSCrypt is a lightweight app that encrypts DNS traffic between the user and an OpenDNS nameserver, much in the same way that SSL encrypts traffic to websites that use HTTPS. This prevents spying, man-in-the-middle attacks, and, of course, DNS spoofing. You will need to configure your device to use an OpenDNS nameserver, which is free.
A VPN, short for Virtual Private Network, is a service that encrypts all the internet traffic going to and from your device and routes it through an intermediary server in a location of the user’s choosing. Quality VPN services use their own private DNS servers, and all DNS requests are sent through the encrypted tunnel. This means DNS requests cannot be intercepted or altered, and you’ll be using a (hopefully) secure nameserver.
Note that not all VPNs are created equal. Some use public DNS servers like Google DNS, while others allow DNS requests to leak outside of the encrypted tunnel, which means the default nameserver is used. Be sure to research your VPN provider’s specifications regarding DNS servers and DNS leak protection before signing up.
Use up-to-date antivirus software and keep real-time protection enabled. This should stop malware payloads containing DNS changer malware from infecting your device and other devices, including routers, on the network.
WebRTC is a communications protocol used by browser-based Voice over Internet Protocol (VoIP) services like Skype for Chrome. Chances are you don’t need it, but it’s enabled by default in most browsers including Firefox and Chrome. In Chrome, you can disable WebRTC by installing the WebRTC Network Limiter extension.
In Firefox, enter about:config in the URL bar. Search for the media.peerconnection.enabled parameter and set it to false.
A good VPN will disable WebRTC for you. If you’re not sure whether WebRTC is enabled in your browser, you can run a test here.
For those operating nameservers, Domain Name System Security Extensions (DNSSEC) provide sorely needed authentication. This suite of specifications ensures trust between the end user and the DNS server. With DNSSEC properly implemented, the user knows responses come from the domain name owner and not from a corrupted DNS entry.
Unfortunately, we’ve yet to reach wide-scale deployment. Relatively few domains and nameservers employ DNSSEC, and there’s not much to be done on the end user’s side. DNSSEC also does not encrypt DNS records.
How to check your DNS settings
If you think you might have been infected with DNS changer malware, your first step should be to remove it using antivirus software or by performing a factory reset on your device. The latter may be the only solution for a router, so be ready to reconfigure your wifi network.
Once you’re malware-free, check your DNS settings. These can be found somewhere in your internet settings. Most devices enable you to enter two DNS nameserver addresses: primary and alternate. You should ensure these are either blank (will default to your ISP’s nameservers) or are filled in with IP addresses for nameservers you trust. If you don’t recognize one of the nameserver addresses, remove or replace it.
How to check DNS settings in Windows
For this example, we’ll use Windows 10:
- While connected to the internet, right-click the wifi or ethernet icon in your system tray (the right side of the taskbar) and select Open Network & Internet Settings.
- Click Wi-Fi, then scroll down to select Change adapter options.
- Find the adapter you use—probably Wi-Fi or Wireless Network Connection—and right-click, then select Properties.
- In the properties window on the default Networking tab, look under This connection uses the following items: to find Internet Protocol Version 4 (TCP/IPv4). Click it once to highlight it (do not uncheck it) and click Properties.
- If your default DNS server settings have altered, you will see the nameserver addresses under Use the following DNS server address. Change these to your preferred DNS nameserver addresses or select Obtain DNS server address automatically to use your ISP’s default servers.
How to check DNS settings on a Mac
For this example, we’ll use macOS High Sierra:
- While connected to the internet, click the Apple menu and select System Preferences.
- Run a search in this menu for DNS servers and select it from the dropdown results.
- Here you’ll see any nameserver addresses that have been specified in the past. If the DNS Servers pane is blank, then you are using your ISP’s default nameserver.
- Remove any server addresses you don’t recognize by highlighting them and clicking the ‘–‘ button.
How to check DNS settings on a router
This process varies fairly significantly depending on your router model and firmware. Start by logging into your browser’s console. You can usually access this by entering either 192.168.0.1 or 192.168.1.1 in your browser’s URL bar. You’ll need a username and password to log in. If you don’t know these, Google your router model for the default password or ask your ISP if it set it up for you.
Once in the console, look around in the network settings for a page that contains the DNS nameservers and change them accordingly.