What is DNS Spoofing?

Overview

Domain Name System (DNS) spoofing, also commonly referred to as DNS cache poisoning, is a cyberattack where DNS records or communication are intercepted and altered in order to route users to a different IP address.

In a spoofing attack, traffic from legitimate servers is rerouted to fraudulent sites that may look like the valid site the end-user was trying to get to. These attacks can happen seamlessly without giving any indication to the user of what is happening.

When the user arrives at the fake site, they may be prompted to enter their login credentials or reveal sensitive data like credit card data, bank account numbers and Social Security information.

Attackers can then use this information to steal money, data and identities, or to access corporate networks to launch other attacks.

Once a DNS record has been spoofed, the cyberattacker can install worms or viruses on a user’s computer, giving the attacker unfettered access to the data provided.

How does DNS spoofing work?

To fully understand how DNS spoofing works, it is helpful to have an understanding of how the internet routes users to websites.

Every server has its own unique thumbprint called an internet protocol (IP) address that is comprised of a series of numbers. Each IP address is mapped to a corresponding domain name (www.example.com) that properly routes users to the website.

To spoof a DNS, cyberattackers find and exploit weaknesses in this process to redirect traffic to an illegitimate IP address and fake website.

3 different methods of DNS cache poisoning

There are several types of DNS spoofing, but three of the most common ones are:

— Man-in-the-middle duping: The attacker gets between your browser and DNS server to infect both using a tool to synchronously poison your local device and DNS server. This results in a redirect to a malicious site hosted on the attacker’s local server.

— DNS cache poisoning by spam: URLs included in spam emails and banner ads on untrustworthy websites are compromised with a virus. When the user clicks on the URL, their computers are then infected with the virus located in the malicious URL. Once infected, the user's device will route to fake websites that look like the real thing.

— DNS server hijack: The cyberattacker reconfigures the server to direct any traffic to the spoofed domain.

The dangers of DNS spoofing

DNS attacks account for 91% of malware attacks, and one out of every 13 web requests leads to malware.

Risks include:

— Data theft

— Malware infection

— Censorship

— Halted security updates that may expose your device to additional threats.

Despite the dangers of DNS spoofing and other malicious activity, most organizations don't monitor their DNS activity at all. Yet the rise of DNS spoofing and other DNS-related attacks makes it clear organizations must deploy anti-spoofing solutions as well as monitoring technology that provides insight into what is happening at the DNS layer.

Prevent DNS spoofing with Mimecast web security

Mimecast Web Security adds monitoring and security at the DNS layer to stop DNS spoofing, malware and other malicious web activity before it reaches your network or devices. This Mimecast service protects against malicious activity both coming from or going out to the Internet at the DNS layer. It also supports and enforces acceptable use policies and helps to mitigate uncontrolled usage of cloud applications.

Mimecast Web Security enables you to:

Block malicious websites and websites that violate acceptable use policy.
Protect employees on and off the network.
Protect guest Wi-Fi networks.
Enable site, user and group-specific policies and exception lists.
Manage web security through a single administration console.
Use an intelligent proxy to inspect content and file downloads from suspicious sites.
Allow or block top level domains.
Integrate with Mimecast Secure Email Gateway with Targeted Threat Protection for a coordinated email and web security.
Get seamless off network protection with Mimecast Security Agent for Windows, Mac and mobile devices.
Deploy and set up defenses in minutes to protect against DNS spoofing and other malicious web activity.

How web security works

When a user initiates a request to access the Internet by entering an address in the browser or clicking a link in an email or website, a DNS request is forwarded to the Mimecast web security service. As Mimecast inspects and resolves the DNS request, acceptable use policies established by the organization are applied to the request, blocking access to content that is deemed inappropriate for business use. At the same time, the target website is scanned for malicious content. If the site is determined to be safe, the user is granted immediate access. But if the site is deemed to be suspicious or malicious, Mimecast blocks access to the site and the user is notified via a message in the browser about the reason why.

Examples of DNS spoofing & DNS cache poisoning attacks

Cyberattackers are continually employing more sophisticated tactics to carry out DNS spoofing. Though no two attacks may be the same, a DNS spoofing scenario could look something like this:

1. The attacker intercepts communication between a client and a server computer belonging to the targeted website.

2. Using a tool such as arpspoof, the attacker can dupe both the client and the server to follow malicious IP addresses that routes to the attacker's server.

3. The attacker creates a fake website that the malicious IP address will route users to in an attempt to obtain sensitive information.

Advantages of Mimecast's DNS monitoring service

Mimecast Web Security enables you to:

Adopt a proactive defense against web threats. Mimecast Web Security stops web threats before they can reach your network or endpoints, and blocks websites that deliver malware or that are part of phishing attacks. Intelligence from multiple sources helps to rapidly identify threats while DNS monitoring helps to stop attacks like DNS spoofing.
Enforce acceptable web use policies. Mimecast makes it easier to keep employees productive on the web by blocking access to sites that aren't appropriate for business use. Administrators can use granular web category selections to apply policies to specific users, groups or the entire network.
Reduce the risk of shadow IT. Mimecast Web security delivers Application Visibility and Control for greater insight into uncontrolled usage of cloud applications that represent a risk of shadow IT. Administrators can monitor cloud apps to understand usage and manage or block access to specific apps.
Protect users on and off the network. Mimecast Web Security protects remote and mobile workers no matter where they are or what device they're using, and it enables administrators to apply consistent security and controls to all employees and devices.
Protect guest Wi-Fi. With Mimecast, you can prevent guest network users from accessing malicious or inappropriate sites, and control what cloud apps can be accessed via your guest Wi-Fi network.
Improve visibility and reporting. Mimecast provides quick and simple visualizations of key metrics like top accessed domains, site categories, blocked domains and requests leading to malicious sites.

FAQs: DNS spoofing

What is DNS?

DNS refers to the Domain Name System (or Domain Name Server), which translates domain names that users can read into IP addresses that machines can read. Every device connected to the Internet has a unique IP address that enables other machines to find it. DNS eliminates the need for users to memorize long and complex IP addresses and to use simpler domain names instead.

How to detect DNS cache poisoning?

The best possible way to detect DNS cache poisoning is to use a data analytics solution to monitor DNS behavior. Things that can signal DNS poisoning:

— An increase in DNS activity from a source that queries your DNS server for multiple domain names without returns.

— An abnormal increase in DNS activity from a single source to a sole domain.