SecurityBrief Asia logo
Asia's leading source of cybersecurity and cyber-attack news
Story image

DNS attacks: How they try to direct you to fake pages

By Contributor, PR
Thu 2 Mar 2017
FYI, this story is more than a year old

DNS servers are essential to the normal functioning of the internet as we know and love it, but they tend to go unnoticed by most users. At least, that is, until some sort of attack or incident occurs that stops them from working normally, which results in the services we use every day starting to fail (something that happened recently when the Mirai botnet attacked a company called DynDNS).

One thing for sure is that there is more than one type of attack that can affect these servers—and in this article we will look at the differences between them.

What is a DNS server?

The Domain Name System (DNS for short) is what enables us to resolve the name of a web page through its IP address. This way, as users, we do not need to remember the sequence of numbers that makes up an IP address (or numbers and letters in IPV6) and we can access, for example, a web page like “www.facebook.com” by writing it like that in our browser, rather than entering “31.13.92.36”.

Resolving this user-friendly name into an IP address is the work of DNS servers, which they do by referring to a hierarchical distributed database that stores information about which IP address corresponds to which domain name, among other things. This system makes it easier to remember website addresses, and also means the IP address can be changed if needed.

Knowing how important these servers are, it is not surprising that many attacks attempt to exploit vulnerabilities either in them or in the way users use them.

DNS Spoofing vs. DNS Cache Poisoning

Often interpreted as the same type of attack, in reality these two techniques are technically different from one another. Generally speaking, we could say that DNS Cache Poisoning is one of the many ways to achieve DNS Spoofing, which refers to the wide range of existing attacks aimed at supplanting the information stored on DNS servers.

DNS Spoofing would represent the ultimate goal of the attack (to manage to change the registries stored on the DNS server in whatever way the attackers decide), for which different mechanisms are used. They include DNS Cache Poisoning, but also man-in-the-middle attacks, the use of fake base stations, and even compromising the security of the DNS server.

We can also see examples of DNS spoofing in attacks aimed at users. One of these would be supplanting the address of the DNS servers configured on our operating system or router. The usual way is to enter the address of the DNS servers of our internet service provider, or those of another organization such as Google.

DNS Cache Poisoning refers to the situation in which many end users use the same cache, where the registries that are stored correlate each IP address with a domain. In the event attackers manage to manipulate a DNS entry in this registry, the internet service providers that use this cache would accept it as authentic, even if it has been manipulated to point to a fake website.

In such a case, what we would have is a poisoned DNS cache that does not redirect traffic to the legitimate IP address when resolving a domain name. Obviously, poisoning this type of cache is not as easy as with the existing cache in a system or router, but technically it is possible and there are precedents.

One of the main problems of DNS Cache Poisoning attacks is that they can be propagated among different DNS servers, and therefore over time they can affect domestic routers too, including the existing DNS cache in the user's system, as the router would receive this incorrect information and update its local cache with it.

To carry out this type of attack, the attackers need a web server and a DNS server, configuring their own authoritative DNS and a trap domain. From that point, the attackers need first to get the victim to access with their own DNS the link with the trap domain, in order to then start gathering the identifiers of the transaction until they are in a position where they can predict what the next one will be.

Having reached this point, the victim's DNS will be obliged to make a request to the attackers' authoritative DNS, which may be pointing to a domain supplanting a banking website. Now that the attackers have discovered what the new transaction ID will be, they can send packets to try and supplant the legitimate connections the user receives when trying to connect to his or her bank.

Because the attackers can predict the correct transaction ID, the victim's DNS will store the supplanted entry in its cache and accept it as valid. From this point on, any attempt by the victim to access a bank's website will result in being redirected to the website controlled by the attackers.

What about DNS hijacking?

Malware can also be used to affect the resolution of domain names so the victims connect to a server controlled by the criminals. There are examples of malware like Win32/DNSChanger, which modify the DNS established by the user or our internet service provider.

This enables the attackers to carry out a wide variety of attacks, ranging from phishing – in other words using fake websites which the victim visits thinking they are real (having accessed them by entering the correct address in their browser) – to the use of exploits to take advantage of vulnerabilities while the user is browsing what are believed to be trusted web pages but which have in fact been generated by the attackers in order to infect the user.

The clearest example, however, is that of networks of zombie computers, otherwise known as botnets. A lot of these modify the DNS servers that their victims have configured, making them point to others controlled by the attackers. This way, as well as the malicious actions we have already described, the criminals can send commands to the bots, update the version of the malware, or even remove it from the system if necessary.

Conclusion

As we have seen, there are numerous types of attacks that can stop a domain from being resolved correctly and cause users to fall unwittingly into traps laid by criminals, thinking they are accessing a legitimate site. To avoid these types of threats, investing in a good security solution is recommended, and, if possible, one that includes a tool for monitoring the security of your router.

And speaking of routers, it's never a bad idea to check whether your router's security is adequate. It's always advisable to ensure it is properly updated and configured, so that no one can access it unauthorized, and we should avoid using weak passwords or having services activated which allow remote connections to the router.

Related stories
Top stories
Story image
Mobile Device Management
How to easily scale your mobile workforce and devices for the peak shopping season
Retailers are under constant pressure to streamline processes and become more efficient while looking for ways to improve customer satisfaction levels.
Story image
Software-as-a-Service
Enterprises yet to fully commit to cybersecurity - CompTIA
“Digital transformation driven by cloud and mobile adoption requires a new strategic approach to cybersecurity, but this poses significant challenges."
Story image
Malware
Kaspersky uncovers new malicious malware NullMixer
Kaspersky researchers have uncovered a new malware stealing users credentials, address, credit card data, cryptocurrencies, and accounts.
Story image
Edge Security
Security practices for modernising the “spaghetti” of on-premises IT
Many organisations are wondering how to securely modernise their workload, often made up of a “spaghetti” of on-premises applications and management consoles.
Story image
Kaspersky
Cybersecurity loopholes prevalent in South East Asia
In terms of the share of vulnerabilities with publicly available exploits, three countries out of top five are located in Southeast Asia.
Story image
Cloud
How modern IT architectures are moving beyond network visibility
Dealing with multiple cloud providers makes it difficult to identify security threats and performance bottlenecks and troubleshoot issues.
Story image
IT Training
Six ways to transform your cybersecurity training and influence lasting change
If the goal is to win hearts and minds, formal awareness training can fall short and often doesn’t inspire people to care.
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from SearchInform
Val Novoselova joins us today to to discuss new trends in the information security space, and how SearchInform is adapting to some of the new trends we are seeing.
Story image
Cloud Security
CrowdStrike launches new partner program to expand routes to market
"We developed the CPSP program in partnership with GSIs, MDR vendors, MSPs, MSSPs and Telcos to ensure we were meeting their needs and empowering them."
Story image
Threat intelligence
Trellix advances threat intelligence with new research centre
Trellix has announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Story image
Cryptocurrency
Crypto giveaway scams continue to soar, according to report
There's been a fivefold increase in the number of domains used for crypto giveaway scams that involve fake YouTube streams in the first half of 2022. 
Story image
Distributed Denial of Service
Reevaluating DDoS protection for a changing threat landscape
DDoS attacks are gaining in frequency, intensity, duration, and complexity, with attackers employing more vectors
Story image
Ransomware
Commvault unveils early warning system, Metallic ThreatWise
A first among data protection vendors, the new cyber deception service detects and contains ransomware threats.
AWS Marketplace
Whitepaper: A practical guide for mitigating risk in today’s modern applications
Link image
Story image
Observability
Virtualisation Security Market to reach over $7 billion by 2032 - report
A new report from Future Market Insights has found that the Virtualisation Security Market is anticipated to reach a valuation of US $7.6 billion.
Story image
Cybersecurity
Hands-on review: Yubikey 5C NFC
Founded in 2007 and specialising in computer and network security, the Swedish company Yubico is now a leader in global authentication.
Story image
Artificial Intelligence
Ordr improves security and management of connected devices
It has implemented more than 80 integrations within the Ordr Data Lake while adding security enhancements to accelerate zero trust segmentation.
Story image
Malware
Cybereason delivers nation-state level of protection to enterprises
Cybereason has announced new advancements in Cybereason NGAV that deliver nation-state level protection for organisations of all sizes.
Story image
Enterprise
Delinea shares the importance of PAM, partners and security for modern enterprise
Identity-based security is becoming a crucial tool for modern enterprises as they continue to adapt to different working environments.
Story image
Compliance
Security and compliance challenges halt innovation strategies
"What’s needed is a new mindset and a fresh approach, one in which security and compliance are continuous and actually speed innovation."
Story image
Web Development
Oracle reveals and releases new Java 19 updates
Oracle has announced the availability of Java 19, which is set to deliver performance, stability, and security improvements for developers.
Story image
Malware
Absolute Software extends persistence technology to Trellix
Customers can benefit from Absolute’s firmware-embedded connection, ensuring that Trellix's endpoint protection solution remains effective and healthy.
Story image
Security vulnerabilities
Claroty finds seven vulnerabilities in Dataprobe iBoot-PDU
The Claroty research team (Team82) has found seven vulnerabilities in Dataprobe's iBoot-PDU, the company's intelligent power distribution unit product.
Aws Marketplace
Learn how to implement a backup and recovery plan for a new generation of Kubernetes-based modern applications
Link image
Story image
Cybersecurity
Aqua Security solution to stop software supply chain attacks
Development and security teams can now proactively address the most critical software supply chain risks from code through runtime.
Story image
Artificial Intelligence
ForgeRock announces next gen identity orchestration capabilities
ForgeRock has launched identity orchestration capabilities to enable enterprises to deliver improved user experiences secured by threat protection.
Story image
Cybersecurity
Confidence in security challenges of hybrid work improving
84% of IT professionals have some degree of confidence in their user access security systems to enable remote work securely and easily, up from 56% in 2021.
Story image
Cybersecurity
StackHawk launches deeper API security test coverage
Expansion of test coverage includes custom scan discovery, custom test scripts and custom test data for REST APIs.
Story image
Network Security
20/20 visibility key to improving network security
IT leaders around the world share a ubiquitous appetite for greater network visibility, according to a new study from Infoblox.
Story image
Firewall
Barracuda tackles intensified threat landscape with latest releases
"The Barracuda XDR solution combines data across our security stacks through a single dashboard view, giving us the visibility we need."
Story image
Cybersecurity
Macroeconomic headwinds driving security up priority list
Current macroeconomic headwinds are driving security up enterprise’s priority list and reshaping the hardware Security Module market.
Story image
Ransomware
Absolute recognised in KuppingerCole Leadership Compass 2022
The company's Absolute Secure Access was recognised for its ability to protect users and resources while improving the remote worker experience.
Story image
Cybersecurity
Kaspersky updates endpoint detection and response solution
"One of the goals was to make all the solutions capabilities accessible for all types of our users, even those who are making their first steps in EDR."
Story image
Malware
SonicWall threat report mid-year update highlights significant threat variance
The 2022 SonicWall Cyber Threat Report mid-year update from SonicWall gives an in-depth insight into many of the current trends across the threat landscape.
Story image
Partnerships
Concentric AI, Snowflake to enhance data security posture
The integration benefits joint customers by making Concentric AI's data security posture management capabilities readily available on the Snowflake Data Cloud. 
Story image
Phishing
Vectra Protect team finds Microsoft Teams vulnerability
The Vectra Protect team identified a post-exploitation opportunity in August, allowing malicious actors to steal valid user credentials from Microsoft Teams.
Story image
IoT security
Nozomi Networks and WALLIX strengthen OT network security
By combining WALLIX and Nozomi Networks solutions, end-to-end visibility and traceability for maximum security in an industrial environment is provided.
Story image
Data Protection
Cloudflare brings Data Localisation Suite to more APAC businesses
This allows any business in these countries to service their data locally while benefiting from the speed, security, and scalability of Cloudflare’s global network.
Story image
Secure Code Warrior
Secure Code Warrior announces Coding Labs innovation
Coding Labs mechanisms allow developers to move from learning to applying secure coding knowledge more efficiently, leading to fewer code vulnerabilities.
Story image
Customer Relationship Management
Why Managed Service Providers are the next big target
MSPs are now such an integral part of the digital ecosystem that companies trust more of their sensitive data with them
Story image
Cybersecurity
Test your API Security with Infinite API Scanner
The effectiveness of API scanning technology can mean the difference between successful and unsuccessful programming outcomes, and often enterprises and IT leaders struggle to get it right.