What is DNS Spoofing?

In IT security, DNS spoofing is a collective term for malicious manipulation of the DNS seeking to redirect users on the internet to a specific resource. DNS spoofing includes attacks employing DNS cache poisoning, in which manipulated entries are injected into the DNS cache of name servers. In addition, there are many other ways in which the Domain Name System can be maliciously sabotaged.


A definition of DNS spoofing

When cybercriminals misuse the DNS to maliciously redirect traffic with the intention of redirecting potential victims to fake and/or harmful content, this is called DNS spoofing. The word “spoof” means to parody, imitate, or fake. And that’s just what this attack vector does. In the vast majority of cases, cybercriminals use DNS spoofing for phishing attacks to get their hands on sensitive user credentials. Login information from banks or payment services, for example, is in particularly high demand.

To redirect traffic, attackers sabotage the DNS, which in a figurative sense acts as the telephone book of the internet and defines the assignment of domain names to the IP addresses of web servers.

The correct assignment is stored in the DNS entries, which are provided by name servers worldwide and temporarily cached locally on routers and computers. If attackers succeed in injecting false entries within this chain of information, whether locally on a user’s computer or directly on a name server, they are then able to control and redirect traffic at will. Since DNS queries are usually transferred unencrypted, attackers have many options for malicious meddling.

DNS spoofing belongs to the ranks of “man-in-the-middle” attacks (MITM for short), in which cybercriminals insert themselves unnoticed into the digital communication between users and services.


What are the threats posed by DNS spoofing?

The threat scenarios also vary depending on where and in what form malicious DNS tampering by spoofing occurs. In most cases, cybercriminals use DNS spoofing to steal login credentials on fake websites or to insert malware for other attacks. In the past, users were often redirected to the fake portals of banks, payment, webmail, and other online services. Hacker groups have also targeted public authorities and government agencies using DNS spoofing attacks. Accordingly, the spectrum of threats posed by this attack vector ranges from simple phishing to sophisticated industrial espionage and meddling in the political realm. In the latter case, DNS spoofing usually forms only a small part of a complex APT (Advanced Persistent Threat) attack by state actors. Authoritarian regimes also like to employ to DNS spoofing and other methods to keep controversial content on the internet away from their own people.

In some cases, however, DNS spoofing is also used by law enforcement to take portals with illegal content offline. For example, German network operator Vodafone has taken steps to block access to kinox.to, the illegal streaming platform. However, privacy advocates disapprove of such moves, as they can also be interpreted as active acts of censorship of the internet.


What kinds of DNS spoofing are there?

Technically, there are many ways to carry out DNS spoofing. In general, this attack vector includes all forms of attacks that compromise valid DNS entries, redirecting users to other content on the internet without them noticing. The most common methods of DNS spoofing are:

DNS cache poisoning

One kind of DNS spoofing is referred to as DNS cache poisoning. Attackers seek to manipulate the DNS entries in the cache of devices, routers, and servers. To do this, cybercriminals exploit vulnerabilities to tamper with the DNS entries of name servers, which are then loaded into the cache of requesting servers and devices and passed on.

DNS hijacking

DNS hijacking involves the use of malware that cybercriminals sneak onto routers and devices such as PCs and tablets. This malware modifies the network connection settings stored on the devices to redirect users to harmful websites without them even noticing. A popular example of such malware is the Windows Trojan Win32/DNSChanger. The executable EXE file is only a few kilobytes in size and tampers with the system’s DNS settings to secretly redirect traffic. The attackers’ objectives include phishing and click fraud. To do this, users are directed to pay-per-click ad banners, which in turn generates revenue for the cybercriminals.

Sequence of a DNS cache poisoning attack


What are appropriate protective measures against DNS spoofing?

There are many ways to protect DNS name resolution from being tampered with. For example, DNS queries can be protected by using DNS cookies that ensure the authenticity and integrity of clients, servers, and the data transferred between them. The implementation of DNSSEC technology also provides protection against DNS spoofing.

The use of up-to-date and well-maintained software on name servers, routers, and all devices also makes DNS tampering more difficult. There are far fewer points of attack for cybercriminals and malware on patched systems.

Network connections


What you need to know about DNS spoofing

Cybercriminals use DNS spoofing to tamper with DNS entries on servers, routers, PCs, and mobile devices, redirecting users to mostly harmful web content. In most cases, the attacks seek to steal valuable login credentials by phishing, spread malware, or generate revenue from click fraud. In addition, authoritarian regimes often employ spoofing methods: Unwelcome portals on the internet can easily be censored by tampering with the internet service providers. DNS extensions such as DNS cookies and DNSSEC, used to authenticate and check the integrity of clients, servers, and data, have proven to be effective preventive measures.

Myra Secure DNS supports the use of DNS cookies and DNSSEC to protect against DNS spoofing.