dns
TRANSCRIPT
DNS PoisoningBy:
Jamil AhmedSC12-BSIT-020
Agenda What is a DNS Poisoning Attack? DNS hijacking How can I change my computers DNS address DNS Poisoning V/S DNS Hijacking
A Domain Name System (DNS) poisoning attack, also called DNS spoofing, is when an attacker is able to redirect a victim to different website than the address that he types into his browser.
Domain Name System Poisoning
For example, a user types www.google.com into their browser, but instead of being directed to Google’s servers he is instead is sent to a fraudulent site that may look like Google’s site but is in actuality it is controlled by the attacker. The attacker is able to do this by changing the Internet Protocol (IP) address that usually points to Google to the fake IP address of the attacker.
The Domain Name System is needed so that networked machines can communicate with each other. Machines use a unique IP address to identify one another much the same way a street address is used to locate a business or home. However, people like words such Google, Yahoo, or YouTube instead of a difficult to remember IP address, like 67.13.142.130, which is easier for a machine to understand. Domain name servers are used to convert names to their corresponding IP address and vice versa
The DNS system is a massive database with billions of domain names and IP addresses. The system handles billions of requests everyday as people surf the internet, send email, a create new websites. Even though the DNS system is distributed around the world, it acts like a single system.
An attack can happen by modifying the host tables that are stored on local computers. The host table is list of domains and IP addresses that are used to find the correct IP address when a user enters a domain site name. If the so-called host table name system does not have the correct IP address stored locally then it contacts an external DNS for the correct IP address. If an attacker is able to compromise the entries within the host table then they can direct websites names to any IP address they wish.
Another method of performing a DNS Poisoning Attack is to target the external DNS servers themselves. External DNS servers exchange information, including name and IP mapping, with each other using zone transfers. Attackers can set up a DNS server with fake IP address entries so that if the targeted DNS server accepts the zone transfer as authentic, it will then use and distribute the fake IP address assignments to other DNS servers
One way to prevent a DNS poisoning attack is to ensure that the latest version of the DNS software, called Berkley Internet Name Domain (BIND), is installed.
DNS hijacking
Unauthorized modification of a DNS server or change of DNS address that directs users attempting to access a web page to a different web page that looks the same, but contains extra content such as advertisements, is a competitor page, a malware page, or third-party search page.
How do I know if my ISP is hijacking me?
If you visit any fake or non-existent site, e.g., http://www.jasdf2dfde3.com and it pulls up a search engine or a collection of links your DNS is redirecting you.
How can I change my computers DNS address?
Microsoft Windows 7 usersClick Start and then Control PanelClick View network status and tasksClick Change adapter settings on the left portion of the Window.Double-click the icon for the Internet connection you're using. Often this will be labeled "Local Area Connection" or the name of your ISP. If you have multiple connections, make sure not to click the one with the red X.Click the Properties button.Click and highlight Internet Protocol Version 4 (TCP/IPv4) and click Properties.If not already selected, select Use the following DNS server addressesEnter the new DNS addresses and then click Ok and close out of all other windows.
DNS hijacking vsDNS PoisoningIn the case of DNS hijacking, your machine makes a request to an upstream DNS provider asking "where is www.google.com" and it responds "www.google.com is at 2.3.4.5DNS cache poisoning is where someone else's machine sends a request to your upstream provider asking "where is www.google.com". When that machine requests www.google.com from its upstream provider, the attacker then tries to "race" the DNS response. So the poisoner effectively asks "where is www.google.com" and then throws lots of "www.google.com is at 2.3.4.5