If there’s one thing Hollywood movies teach us, it’s that hackers are clever and have various tricks to bypass our security. In the real world, a security issue often comes down to opportunity rather than developed skill. A “DNS poisoning” attack fits this description, and in fact, you need to have the skills to keep your domain from being spoofed.

The concept is simple: visitors see what looks like your website, but it’s fraudulent and harmful, while this fake website looks similar. As such, you need to employ several techniques to make sure users are safe, and your site remains free from attacks.

In this post, we’re going to dive into the concept of DNS poisoning and domain spoofing. We’re also going to talk about some of the surrounding concepts to help you understand why your eventual response is the best approach.

A Primer On the Domain Name System (DNS)

Before we get into the specifics of DNS poisoning, let’s chat about the Domain Name System. While browsing a website appears a straightforward task, a lot is going on under the server’s hood.

There are lots of elements involved to get you from ‘A’ to ‘B’:

On the whole, a DNS makes fetching a domain name simple for the end-user. It’s a core part of the web, and as such, it has many moving parts.

We will look at the lookup process itself next, although you can already see how the DNS has a vital job to fulfill.

Don't let your site fall prey to a DNS poisoning attack ☠️ Learn the essential skills you need to keep your domain from being spoofed here ⬇️Click to Tweet

The Process of a DNS Lookup

Bear with us here while we offer what looks like an abstract analogy.

Activities that take people into remote places, such as mountaineering or sailing, share one specific danger: getting lost and not being found in time. The traditional way of locating stranded people has been to use coordinates. They’re explicit and offer pinpoint accuracy.

However, this process has drawbacks. First, you need to know how to calculate your coordinates for any location — tricky if in a remote part of the world. Second, you have to articulate those coordinates to the rescue team. One wrong number and the consequences are dire.

The what3words app takes the complex process of calculating and passing on coordinates and turns it into a three-word summary of your general location. For example, take Automattic’s headquarters:

The Automattic offices in Apple Maps.

The Automattic offices in Apple Maps.

The coordinates of the location are 37.744159, -122.421555. Unless you’re an expert navigator, though, you’re not likely to know this. Even if you did, getting this in the hands of someone who could help you is a slim proposition.

In a nutshell, what3words takes an abstract set of coordinates and translates them into three memorable words. In the case of Automattic’s offices, it’s decent.transfers.sleeps:

The what3words website, showing Automattic’s offices.

The what3words website, showing Automattic’s offices.

This puts complex global positioning in the hands of almost anyone with access to the app. It’s saved a lot of civilian lives already.

This ties in with a DNS lookup because the process is similar. In the case of what3words, the rescuer asks the app for the coordinates of a word string. The request is sent across servers to look for the coordinates and return to the end-user when they’re found.

A DNS lookup has a similar flow:

One of the drawbacks of what3words is how a word string isn’t as accurate as a set of coordinates. This means you can pinpoint a general location fast but may spend longer finding the stranded person.

A DNS lookup has drawbacks as well, and malicious attackers can exploit them. Before we look at this, though, let’s take a brief detour to talk about caching and how this can speed up a lookup.

DNS Caching

Much like web caching, DNS caching can help you recall regular queries to the server. This will make the process of fetching an IP address faster for each new visit.

In short, the cache is located within the DNS server system and cuts out the extra trip to the recursive server. This means a browser can fetch an IP address straight from the DNS server and complete the GET request in a quicker time.

You’ll find DNS caches throughout your entire system. For example, your computer will have a DNS cache, as will your router and internet service provider (ISP). You often don’t realize how much your browsing experience relies on DNS caching — until you’re a victim of DNS poisoning, that is.

What DNS Poisoning Is

Now that you understand the concept of a DNS lookup and the entire process of fetching an IP address, we can see how it can be exploited.

You’ll often see DNS poisoning referred to as “spoofing” too because having a fraudulent “lookalike” website in the chain is part of the attack.

We’re going to talk in more detail about all of these aspects, but know that DNS poisoning or spoofing is a harmful attack that can cause mental, monetary, and resource-related problems for users and the internet.

First, though, let’s get into the process of cache poisoning.

How DNS Spoofing and Cache Poisoning Works

Given that the whole spoofing process is complex, attackers have created many different ways to achieve their goal:

A birthday attack is based on the “birthday problem.” This is a probability scenario that says (in a nutshell) if there are 23 people in a room, there’s a 50% chance of two sharing the same birthday. If there are more people in the room, the chances rise.

A graph showing the Birthday Problem.

A graph showing the Birthday Problem. (Image source: Wikipedia)

This translates to DNS poisoning based on the identifier that connects the DNS lookup request to the GET response. If the attacker sends a certain number of random requests and responses, there’s a high probability of a match resulting in a successful poisoning attempt. From around 450 requests, the probability is about 75%, and at 700 requests, an attacker is almost guaranteed to crack the server.

In short, attacks to the DNS server happen in most cases because this gives a malicious user greater flexibility to manipulate your site and user data. There’s also no verification for DNS data because requests and responses don’t use Transmission Control Protocol (TCP).

The weak point in the chain is the DNS cache because this acts as a repository for DNS entries. If an attacker can inject forged entries into the cache, every user who accesses it will find themselves at a fraudulent site until the cache expires.

Attackers will often look for a few signals, weak points, and data points to target. They work to spot DNS queries that haven’t been cached yet because the recursive server will have to undertake the query at some point. By extension, an attacker will also look for the nameserver a query will go to. Once they have this, the port the resolver uses and the request ID number are vital.

While meeting all of these requirements isn’t necessary — after all, an attacker can access servers through numerous methods — ticking these boxes off makes their job easier.

Real-World Examples of DNS Poisoning

There have been a few high-profile examples over the years of DNS poisoning. In some cases, it’s an intentional act. For instance, China operates a firewall on a massive scale (the so-called “Great Firewall of China”) to control the information internet users receive.

In a nutshell, they poison their own servers by redirecting visitors heading to state-unsanctioned sites such as Twitter and Facebook. In one case, Chinese restrictions even made their way into the Western world’s ecosystem.

A networking error from a Swedish ISP served root DNS information from Chinese servers. This meant users in Chile and the US were redirected elsewhere when accessing some social media sites.

In another example, Bangladeshi hackers protesting mistreatment in Malaysia poisoned many domains relating to Microsoft, Google, YouTube, and other high-profile sites. This appears to have been a case of server hijacking rather than a client-side issue or spam.

Even WikiLeaks isn’t immune to DNS poisoning attacks. A potential server hijack a few years ago caused visitors to the website to be redirected to a page dedicated to the hackers.

DNS poisoning doesn’t have to be a complicated process. So-called “ethical hackers” — i.e. those who look to expose security flaws rather than inflict damage — have straightforward methods for testing spoofing on their own computers.

Other than being redirected, though, there may not seem to be any long-term effects of DNS poisoning on the surface. In fact, there are — and we’ll talk about them next.

Why DNS Poisoning and Spoofing Is So Harmful

There are three main goals of an attacker hoping to perform DNS poisoning on a server:

Of course, it does not leap the imagination to understand why DNS poisoning or spoofing is a problem for ISPs, server operators, and end-users.

As we noted, spoofing is a massive problem for ISPs, so much so that there are tools like the CAIDA Spoofer available to help.

The CAIDA website.

The CAIDA website.

A few years ago, statistics showed that there were around 30,000 attacks a day. This number will almost certainly have increased since the report was published. What’s more, as was the case with the example in the previous section, delivering spoofed sites across a network brings user trust issues to the fore, along with privacy concerns.

Need a hosting solution that gives you a competitive edge? Kinsta’s got you covered with incredible speed, state-of-the-art security, and auto-scaling. Check out our plans

Regardless of who you are, there are a few risks involved when you’re the victim of poisoning and spoofing:

There are other related effects of DNS poisoning too. For instance, you may not be able to apply any security updates to your system while the recovery process is in full swing. This leaves your computer vulnerable for longer.

Also, consider the cost and complexity of this cleanup process, as it will affect everyone along the chain. Higher prices for all of the connected services is just one of the negatives.

The effort of eliminating DNS poisoning is immense. Given that spoofing affects both client- and server-side setups, ridding it from one doesn’t mean it’s gone from all.

How to Prevent DNS Poisoning

There are two areas affected by DNS poisoning — client-side and server-side. We’re going to take a look at what you can do to prevent this damaging attack on both sides of the coin.

Let’s begin with what the internet as a whole is doing on the server-side.

How the Internet Tries to Prevent DNS Poisoning and Spoofing Server-Side

Although we’ve talked a lot about DNS throughout this article, we haven’t noted how antiquated the technology is. In short, DNS isn’t the best fit for a modern web browsing experience due to a few factors. For starters, it’s unencrypted, and without some vital validation considerations, that would stop a lot of DNS poisoning attacks from continuing.

One quick way to prevent attacks from becoming stronger is through a simple logging strategy. This carries out a straightforward comparison between the request and the response to see if they match.

However, the long-term answer (according to the experts) is by using Domain Name System Security Extensions (DNSSEC). This is a technology designed to combat DNS poisoning, and in simple terms, it puts different levels of verification in place.

Going deeper, DNSSEC uses “public-key cryptography” as verification. This is a way of signing off on the data as genuine and trustworthy. It’s stored alongside your other DNS information, and the recursive server uses it to check that none of the information it receives has been altered.

Compared to other internet protocols and technologies, DNSSEC is a relative baby — but it’s mature enough that it’s implemented in the root level of the internet, though it’s not yet mainstream. Google’s Public DNS is one service that supports DNSSEC in full, with more popping up all the time.

Even so, there are still some drawbacks with DNSSEC that are worth noting:

Even so, DNSSEC is the future on the server-side, at least. As for you as the end-user, there’re also some preventative measures you can take.

How You Can Prevent DNS Poisoning on the Client-Side

There are more ways to prevent DNS poisoning on the client-side, although none on their own will be as robust as server-side DNSSEC implemented by an expert. Still, there are some simple boxes you can check off as a site owner:

As an end-user, there are a few more things you can do to help prevent poisoning and spoofing:

While you can’t rid DNS poisoning in total, you can prevent the very worst from happening. As an end-user, you don’t have much control over how the server handles attacks. Likewise, sysadmins don’t get to control what happens in the browser. As such, it’s a team effort to stop this most harmful of attacks from affecting the entire chain.

Picture this: a visitor is sent to what looks like your site.. but it's a harmful fraudulent version. 😱 Put a stop to DNS poisoning attacks like this with help from this guide ⬇️Click to Tweet

Summary

Internet attacks are commonplace. DNS poisoning (or spoofing) is a common attack that can affect millions of users if left unchecked. This is because the DNS protocol is old and unsuited for modern web browsing — although newer technologies are on the horizon.

In short, DNS poisoning redirects an end-user to a fraudulent version of an existing website. It’s a way to steal data and infect systems with malware. There’s no foolproof way to prevent it altogether, but you can contain it through some simple measures.

Have you ever been a victim of DNS poisoning or spoofing, and if so, what was the cause? Please share your experience with us in the comments section below!


Save time, costs and maximize site performance with:

  • Instant help from WordPress hosting experts, 24/7.
  • Cloudflare Enterprise integration.
  • Global audience reach with 28 data centers worldwide.
  • Optimization with our built-in Application Performance Monitoring.

All of that and much more, in one plan with no long-term contracts, assisted migrations, and a 30-day-money-back-guarantee. Check out our plans or talk to sales to find the plan that’s right for you.