DNS series (III): how to avoid DNS spoofing

Every device on the Internet will have one IP Address , When we visit websites or send messages , It's all through IP Address to achieve the exact request . But this IP The address consists of a long string of numbers , It's quite difficult to remember , So we created a more practical domain name to replace IP Address . And how to combine the domain name and IP Linked to the address , It's the domain name system （DNS） Where it works . It consists of various name servers （ namely DNS The server ） form , Responsible for domain name resolution , Help clients establish contact , It is one of the most important services in the network .

There are certain security risks in the communication between the name server and the client , Some people with evil intentions can tamper in many ways Internet Name resolution on . This article will talk about DNS cheating , Through false IP Address launch spoofing attack .

What is? DNS cheating ？

DNS Cheating means DNS Name resolution has been tampered , Especially prone DNS Cheating is a fake domain name IP Address . This is because DNS Parsing is mainly carried out in the internal system , The correct domain name is displayed in the browser , So users usually don't notice being tampered . The specific operation is , Malicious people make DNS The request will return a false IP Address , When the client is false IP When the address establishes a connection , The user will be redirected to the fake server . Just a quick example ：

The following figure shows the client connecting to the website example.com Schematic diagram of the case of being cheated in the process ：

（ The picture comes from the Internet , In case of infringement, please contact us to delete ）

• d1： The client starts with DNS The server requested the hostname example.com Of IP Address .

• d2： The client received the response to the request , But it returns a false IP Address . Not with example.com A real server establishes a connection .

• h1： Client sends request to forgery IP The malicious host behind the address .

• h2： The malicious host returns the seemingly legitimate website page to the client . however , The security certificate of the domain name is missing on the malicious host .

• A、B、C： These are DNS Different attack points of deception ： On the client or local router 、 On the network connection and on DNS Server .

DNS What are the threats of deception ？

Use by attackers DNS Spoofing phishing and domain name spoofing attacks , The purpose is to intercept user data on the Internet . because DNS Spoofing will affect every connection established by the client . Whether you visit a website or send an email , If relevant server IP Address tampered , The purpose is to make the victims believe that they finally visited a legal address , And use the trust of the victim to lure the download of malware and infect the system , And then steal sensitive user data .

DNS Cheating brings the following risks ：

• Confidential data theft ： Phishing is used to steal sensitive data such as passwords . These methods are usually used to invade computer systems or carry out various frauds .

• System malware infection ： The victim was tricked into installing malware on his system , Open the door for further attacks .

• Collect user information ： Collect personal data during this process , For sale or other targeted phishing attacks .

• Can pose a continuing threat ： encounter DNS cheating , Tampered with DNS Response information may remain in the cache , Cheat for a long time .

stay 2020 Spring of the year COVID-19 Epidemic period , It happened abroad DNS Deceptive attack . The attacker hijacked the router DNS, Tampering has become malicious IP Address . The victim's browser will open itself and display a message , Prompt them to download allegedly from the World Health Organization (WHO) Of “COVID-19 Notification application ”. But in fact , The software is Trojan horse software . If the victim installed Trojan software , It will search the local system and try to access sensitive data , Used for phishing attacks against victims .

△ False propaganda COVID-19 Information application Msftconnecttest page

however DNS Deception is not all malicious attacks , Some Internet service providers （ISP） Occasionally I pass DNS Cheating means to censor or put advertisements . for example ,ISP It can be manipulated deliberately DNS Table to implement the requirements of National Review . Doing so can prevent users from visiting illegal websites , When a user accesses a forbidden domain name , Will be redirected to the warning page .DNS Spoofing can also help collect user data , Or put advertisements through redirection . For example, when a user enters a domain name that does not exist or is misspelled ,ISP Use DNS Spoofing redirects users to specific pages , This page may play advertisements or create user profiles .

How to avoid DNS cheating ？

DNS As a kind of threat affecting information security , We need to be right about DNS Cheat and be wary . We can take encryption measures to effectively prevent DNS cheating . Encryption methods usually have two key advantages ：

• Protect data from unauthorized access by third parties

• It ensures the authenticity of both sides of the communication

For the way webmasters , The available encryption methods include website domain name opening mandatory HTTPS, The connection configured in the email client （ for example IMAP、POP3 and SMTP ） Use security protocols TLS and SSL. This kind of encryption can protect the data transmission in the request , If an attacker attempts to impersonate a normal host , The client will appear a certificate error prompt , Reduce exposure to DNS Possibility of deception .

DNS The connection between servers can also be through DNSCrypt、DNS over HTTPS（DoH） and DNS over TLS（DoT） These technologies , Reduce dangerous man in the middle attacks . But it should be noted that , The application of these three solutions is not very common ,DNS The server must support the corresponding security technology , These three methods can be used for encryption .

The above mentioned encryption methods that administrators can do , For users , We can use public DNS To avoid DNS cheating . The setup is very simple , Directly in the system “ Network settings ” Change in DNS address . Public DNS In addition to being able to cope with DNS cheating , It can also speed up the parsing response . At the same time, large public DNS Advanced security technologies are usually used , for example DNSSEC（DNS Security extensions ）、DoH、DoT and DNSCrypt. Common public DNS Yes 114DNS Of 114.114.114.114, Pure without hijacking ;Google Of 8.8.8.8 、Quad9 Of 9.9.9.9, support DNSSEC.

About DNS That's all about deception for the time being , After reading this article, I hope it can help you better protect your information security .

Recommended reading

DNS series （ One ）： Why is it updated DNS Record not valid ？

DNS series （ Two ）：DNS Record and working method , Do you understand? ？