What is DNS Poisoning?
Domain Name System (DNS) poisoning happens when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website. DNS poisoning also goes by the terms “DNS spoofing” and “DNS cache poisoning.”
DNS servers take the words you type in when looking up a website, such as “Fortinet.com,” and use them to find the Internet Protocol (IP) address associated with it. These addresses are stored in the DNS cache. If the wrong IP address is put in the cache, the user gets directed somewhere other than where they want to go.
What Is a DNS and What Is a DNS Server?
What is DNS? A DNS lists the IP addresses associated with domain names, or the names of websites. A DNS server keeps track of the domain names and their associated IP addresses and sends users to the IP address associated with the website name they typed in.
How Does DNS Poisoning Work?
Man-in-the-Middle (MTM) Attacks
With man-in-the-middle (MITM) duping, the attacker gets between the web browser you are using and the DNS server. They then use a tool to alter the information in the cache on your device, as well as the information on the DNS server. You then get redirected to a malicious site.
DNS Server Hijack
When hijacking a DNS server, the attacker makes adjustments to the server, causing it to direct users to a malicious site. The fake DNS information causes every user who enters that website’s address to get sent to the fraudulent site.
DNS Cache Poisoning via Spam
When an attacker uses spam for DNS spoofing attacks, they put the code used for the cache poisoning inside an email. The email will often try to scare users into clicking on the link that ends up launching the DNS poisoning attack.
What Are the Risks of DNS Poisoning?
An attacker can have the user redirected to a phishing website that can collect the user’s private information. When the user enters it, it gets sent to the attacker, who can then use it or sell it to another criminal.
A cyber criminal may have the user sent to a website that infects their computer with malware. This can be done through drive-by downloads, which automatically put the malware on the user’s system or through a malicious link on the site that installs malware, such as a Trojan virus or a botnet.
Halted Security Updates
An attacker can spoof an internet security provider’s site. This way, when the computer attempts to visit the site to update its security, it will be sent to the wrong one. As a result, it does not get the security update it needs, leaving it exposed to attacks.
Censorship can be executed via manipulation of the DNS as well. For instance, in China, the government changes the DNS to make sure only approved websites can be viewed within China.
How To Prevent DNS Poisoning
For Website Owners and DNS Service Providers
Website owners and DNS service providers have the responsibility of defending users from DNS attacks. There are several ways to protect your users.
DNS Spoofing Detection Tools
These tools scan the DNS data being sent to make sure it is accurate before allowing it to go to the user.
Domain Name System Security Extensions
A Domain Name System Security Extension (DNSSEC) appends a label to a DNS that verifies that it is authentic.
With end-to-end encryption, the data that gets sent out is encrypted, so cyber criminals cannot access the DNS data to copy it and redirect users to the wrong sites.
For Endpoint Users
Users can be an easy target for DNS spoofing. Here are ways to prevent becoming a victim.
Never Click a Link You Do Not Recognize
It is better to manually enter a Uniform Resource Locator (URL) into your web browser than click on a link that may look suspicious. Clicking the wrong link can lead to a DNS attack.
Regularly Scan Your Computer for Malware
Spoofed websites can be used by attackers to deliver malware to your computer. Regularly scanning your computer for infections can get rid of malware you downloaded accidentally as a result of DNS poisoning.
Flush Your DNS Cache To Solve Poisoning
Flushing your DNS cache gets rid of false information. All major operating systems come with cache-flushing functions. Flushing the DNS cache gives your device a fresh start, ensuring that any DNS information that gets processed will correlate with the correct site.
Use a Virtual Private Network (VPN)
With a virtual private network (VPN), all data going to and from your computer is encrypted. You can connect to a private DNS server that only connects using encryption. Cyber criminals do not have the encryption code so they cannot decipher the DNS data that gets sent back and forth.
How Fortinet Can Help
FortiGuard Labs provides users of Fortinet security products with advanced threat intelligence. The information is gathered by threat hunters, analysts, data scientists, engineers, and researchers who specialize in identifying and stopping attacks. This enables Fortinet products to detect DNS poisoning attacks and protect users from their impact.
What is DNS poisoning?
Domain Name System (DNS) poisoning refers to when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website.
What Is a DNS and What Is a DNS Server?
A DNS lists the Internet Protocol (IP) addresses associated with domain names, or the names of websites. A DNS server keeps track of the domain names and their associated IP addresses and sends users to the IP address associated with the website name they typed in.
What are the risks of DNS poisoning?
The risks of DNS poisoning include data theft, malware infection, delayed security updates, and censorship.
How do you prevent DNS poisoning?
To prevent DNS poisoning, you can use DNS spoofing detection, DNS security extensions, and end-to-end encryption. You can also not click on suspicious links, regularly scan your computer for malware, flush your DNS cache, and use a virtual private network (VPN).