What is DNS spoofing?

Mon Mar 02 2020 - 7 min read

A few minutes ago, you decided to visit nordpass.com. You typed it into your browser and poof! You’re here. Have you ever wondered what happens in the background?

Your browser doesn’t know how to find this domain — it needs to contact a DNS server to take you here. And even though you were successfully connected to the right website, a DNS spoofing attack could land you somewhere else entirely. Learn what it is and how you can protect yourself from it.

What is DNS?

To understand DNS spoofing, you first need to know what DNS servers are.

Every website on the internet has a domain name and a unique IP address linked to it. Our browsers can navigate only by using IP addresses. But they are at least eight digits long (more if the site uses IPv6), which makes them inconvenient to use and hard to remember for humans. Therefore, we use domain names for easier access — like nordpass.com for NordPass. And we store every website’s domain and IP address in a DNS server that our browsers can access any time we need it.

So, whenever you want to go to a website, you enter the domain name, and your browser contacts a DNS server to ask for that domain’s IP address. If the server has it in its database, it will send it back, and your browser will connect you to the website. However, the DNS server only has addresses that are the most popular in its network. If the server receives an inquiry for a domain name that is not in its database, it will contact another DNS server asking for it. After sending it back to you, your local server will store the domain name and the corresponding IP address in its cache for a short period of time.

Similarly, your browser will check its own local cache before contacting the DNS server. If you visited the same domain recently, its IP address will be stored there. This way, your browser doesn’t need to send a new request to the DNS server, and you are connected a bit faster.

How DNS spoofing works

Attackers use DNS spoofing (also called DNS poisoning) attacks to reroute internet users into fake websites that look exactly like the real thing. People often don’t even notice anything and use these sites as usual. Cybercriminals do it to gain information about their victims (like their login credentials) or install malware on their devices.

Hackers sometimes also use DNS spoofing to perform DDoS attacks. They redirect users from multiple sites to the website they are targeting, which, unable to handle the load, crashes.

There are a few DNS vulnerabilities that cybercriminals can exploit in different attacks:

Cache poisoning

It is one of the most popular methods of DNS spoofing. Cache poisoning is not only effective in redirecting users where the attacker wants them — it also allows to corrupt other DNS servers’ caches and spread the fake IP address. The attacker inserts the fraudulent IP into the cache, and the server starts sending it out whenever a user asks for it.

This way, any server that sends an inquiry for this domain’s IP will also receive a fake one and store it in its cache. The forged DNS entry will stay there until the cache expires, which can be anywhere from a few hours to a full day.

Breaking into the DNS server

This method is similar to cache poisoning — it also relies on planting a fake IP address in the server. But it’s not as simple as tricking a server into storing a fraudulent record in the cache. The attackers need a valid user’s credentials to get into a DNS server. They usually gain them by using keylogging malware, phishing, or man-in-the-middle attacks. This kind of DNS spoofing is difficult to carry out, but the fake IP address ends up directly in the server’s database and stays there rather than in a cache that expires quickly.

Twitter suffered from this attack in 2009 when Iranian cybercriminals redirected all its traffic to their site. However, Twitter never disclosed how the attackers managed to gain one of their employee’s credentials.

Man-in-the-middle attack

When an attacker manages to intercept a user’s communication with the DNS server, they can respond to their queries with an IP address that leads to a fake or malicious website. When the attacker is trying to gain information without their victim noticing anything, they create a copy of a real site (a social network, online shop, email service, etc.). Some fraudulent websites are so well made that it can be a challenge to tell them apart from the original. But some fakes are borderline absurd attempts to trick people, like a popular clothing brand’s outlet that looks as if it was designed with MS Paint.

How to prevent DNS spoofing?

There are a few different ways organizations can protect DNS servers, and DNSSEC (Domain Name System Security Extensions) is one of the most popular. It uses public-key cryptography to authenticate IP addresses, verify their origin, and make sure no one tampered with them while in transit.

Unfortunately, there’s not much regular internet users can do to stop DNS spoofing. And there’s no way for you to check whether the IP address the DNS server sent is genuine or replaced with another one. But not everything is as gloomy. When it comes to fake websites, there are numerous tell-tale signs to look for:

  • See if there’s a padlock icon next to the URL. It means that the website has a valid TLS/SSL certificate, and all communication between you and the website is encrypted. If the attackers did not put much effort into their fake site, it’s likely that it will not have this certificate. But every major web page has it, so if there’s no “https” at the beginning of the URL, it’s a huge red flag.
  • Check the URL. Is it the same domain you originally typed into your browser? Or are some letters missing? Our eyes are so used to reading “amazon.com” that many people may not even notice that there is something wrong with “arnazon.com.” If the domain is not the same one you visited in the first place, it means you were redirected. This should immediately raise suspicion — don’t enter any personal information before verifying you’re not on a scam website.
  • Is it on brand? If you visit that particular site often or know the brand well, you should be able to tell if something is off. Is the logo and slogan up to date? Are the images, fonts, and general design in line with what you come to expect from the brand? If there’s anything that makes you suspicious, it’s better to investigate further.
  • Pay attention to the content. If it’s a personal blog, then some typos might find their way in. But large corporations spend a lot of money on their image, and leaving obvious grammar mistakes is always off brand, so there should be none. Attackers often spend more time recreating the design and get a little lazy when it comes to the website’s content. So, if the text is poorly put together or the headlines don’t make much sense, tread carefully.

These tips will help you identify a fake website. However, if you are redirected to a malicious site, it makes no difference whether it’s real or not — malware could still get into your device. If that happened to you, scan the device immediately and make sure it is safe to use. There are many different types of malicious programs that can infect your laptop or smartphone, so it’s better to stay on the safe side.

Chad Hammond
Chad Hammond
Verified author
Chad loves traveling and technology. His global view and open-mindedness add interesting angles to various security topics. He has already traveled to over 80 countries and is not planning to stop any time soon.
Subscribe to NordPass news