T 5.78 DNS spoofing

To communicate with another computer in the Internet, it is necessary to know its IP address. As such numbers are not very easy to memorise, almost all IP addresses are assigned names by the Domain Name System (DNS).

DNS spoofing refers to a successful attempt by an attacker to falsify the IP address assigned to a computer name, which means that the name will be converted to the wrong IP address and vice-versa. In classic DNS spoofing, the client PC is not manipulated by malware, but vulnerabilities existing in the DNS communication are exploited. As a result of this, it is possible to execute the following attacks, among others:

• r-services (rsh, rlogin, rsh): These services permit authentication based on of the name of the client. The server knows the IP address of the client and requests its name via DNS. By manipulating the DNS, it may be possible for an attacker to log in to the r-service and to gain unauthorised access to sensitive information.
• Web spoofing: An intruder could assign the address www.bsi.bund.de to the wrong computer, which would then be addressed each time http://www.bsi.bund.de is entered.

The ease with which it is possible to perform DNS spoofing depends on how the network being attacked is configured. Since no computer can possess all DNS information available globally, computers always need to depend on the information of other DNS servers. To reduce the frequency of DNS queries, most resolving DNS servers temporarily store the information they have received from other DNS servers for a certain length of time.

Another possibility to cause damage using DNS spoofing is direct intrusion into a DNS server. However, this case is not considered further here. Instead, the principal shortcomings of DNS are mentioned.

Examples:

• A user on the computer named pc.customer.com wants to access the computer named www.company-x.com and then the computer of their competitor www.company-y.com. In order to access www.company-x.com, the user must first request his resolving DNS server ns.customer.com for the corresponding IP address. However, his server does not know the IP address of this computer and therefore requests it from the advertising DNS server ns.company-x.com. This server replies with the IP address, which is then forwarded by ns.customer.com to the user and then stored. If the reply packet from ns.company-x.com not only contains the IP address of the computer named www.company-x.com, but also contains a false IP address for www.company-y.com, then this address is also stored. If the user now tries to access www.company-y.com, his resolving DNS server will not request the IP address any more from the DNS server ns.company-y.com. Instead, his DNS server will provide him with the false information snuck on to his computer by ns.company-x.com. In current versions of DNS server products an attack in this form is no longer possible. However, modified or improved versions of the attack exist, which are successful even in current versions.
• Company X knows that a user on the computer named pc.customer.com wants to access the computer of its competitor, www.company-y.com. Company X prevents this by requesting the DNS server ns.customer.com for the IP address of www.company-x.com. This DNS server then needs to request the name server ns.company-x.com for the IP address and receives, like in the first example, the wrong information for www.company-y.com.

These two examples are based on the assumption that a DNS server accepts additional data that it has not even requested. New versions of DNS software (e.g. BIND) no longer have this error and therefore prevent this type of attack. However, it is still always possible to create false DNS entries using IP spoofing, but this type of attack is much more complicated technically, see also T 5.48 IP-Spoofing.

Both forms of attack have one thing in common: The aim is that the attacked computer temporarily stores incorrect assignments of IP addresses and names. This is referred to as Cache Poisoning. Since DNS servers store domain information, as described in the second example, such forged data can be widely distributed. If a corresponding request is sent to the manipulated DNS server, this server will return the forged data. The receiver of the response in turn stores the forged data and its cache is therefore also "poisoned". The length of time for stored data to expire can be configured (Time to Live, TTL). If a manipulated address is requested form the resolving DNS server, then it will not send a request to a different DNS server until the set length of time has expired. Thus, it is possible for manipulated DNS information to persist for a long time, although they have already been corrected on the DNS server originally attacked.

Cache poisoning is one of the most dangerous forms of attack for DNS. If, for example, an attacker is able to take the name resolution for a domain by manipulating the entries in such a way that requests are sent to his DNS servers, then all sub-domains are automatically affected by this.