DNS SPOOFING- Tricking a DNS server into installing a false IP address

DNS SPOOFING- Tricking a DNS server into installing a false IP address is called DNS spoofing. For example, suppose Trudy is able to crack the DNS system, may be just the DNS cache at Alice’s ISP, and replace Bob’s IP address with her (Trudy’s) IP address. When Alice looks up Bob’s IP address, she gets Trudy’s, so all her traffic intended for Bob goes to Trudy. Trudy can now mount a man-in-the-middle attack without having to go to the trouble of tapping any phone lines. Instead she has to break into a DNS server and change one record, a much easier proposition.

How might Trudy fool DNS? It turns out to be relatively easy. Trudy can trick the DNS server at Alice’s ISP into sending out a query to look up Bob’s address .Unfortunately since DNS uses UDP; the DNS server has no real way of checking who supplied the answer. Trudy can exploit this property by forging the expected reply and thus injecting a false IP address into the DNS server’s cache.

Trudy starts the attack by sending a lookup request to Alice’s ISP asking for the IP address of Bob’s. Since there is one entry for this DNS name, the cache server queries the top level server for the com domain to get one. However Trudy beats the com server to the punch and sends back a false reply. If her false reply gets back to Alice’s ISP first, that one will be cached and the real reply will be rejected as an unsolicited reply to a query no longer outstanding. A cache that holds an intentionally false IP address like this is called a poisoned cache.

No related posts.