DNS Spoofing (also DNS Cache Poisoning) is an undetected slipping in of a fake IP address, i.e. not the one the domain name is paired to. As a result, computer network traffic is redirected to the false IP addresses and users can land, for example, on a fake website. This is a very dangerous attack on information security that leads to data theft or lure of data.
How can a site be slipped in and what threatens?
To enhance usability, computer, server and website addresses are displayed as names (such as google.com), instead of IP addresses although it is IP addresses (and not names) that really lay underneath and that are really governing all communication within one network (corporate network for instance) or the Internet as a whole. The translation (IP addresses to names) is provided by the so-called DNS Servers. If an attacker can slip in his or her own fake DNS server, he or she can also redirect all traffic to compromized websites or servers. This way, the attackers can intercept network communications or redirect users to fraudulent sites that may look like a bank website or an e-shop website, but the only goal is, for instance, to get your password (see also phishing, pharming) or to infect your device with a virus (a website may, for example, look like the website of your device’s service provider, but instead of an update, a virus is installed on your computer).
How does the DNS spoofing work?
The attack consists in slipping in a fake IP address of the network packet that a computer will get in response to the demand of the domain name translation. The attack can take place either on the local computer network or on the Internet. For example, if the attacker can hack the DNS address of a router, all network users are redirected to a fake DNS server. This leads to the traffic being incorrectly diverted or to the manipulation of the entire network traffic. It is also possible that the DNS is slipped in only to a particular computer (as opposed to network) causing the traffic manipulation happening only on this one devise.
The attacker can either permanently exchange the number of the DNS server or just infect the cache in which the DNS server number is stored. In the latter case, the attack is temporary and is deflected by clearing the DNS cache.
How to protect ourselves against DNS spoofing?
It is one of the most dangerous attacks that is hard to detect. To avoid it, it is best to use caution and not to install software from unauthorized sources. We should be also using antivirus and security programs. It is also a very good idea to properly secure your router.