2. Agenda
What is a DNS Poisoning Attack?
DNS hijacking
How can I change my computers DNS address
DNS Poisoning V/S DNS Hijacking
3. A Domain Name System (DNS) poisoning attack, also called
DNS spoofing, is when an attacker is able to redirect a victim
to different website than the address that he types into his
browser.
Domain Name System Poisoning
For example, a user types www.google.com into their
browser, but instead of being directed to Google’s
servers he is instead is sent to a fraudulent site that may
look like Google’s site but is in actuality it is controlled by
the attacker. The attacker is able to do this by changing
the Internet Protocol (IP) address that usually points to
Google to the fake IP address of the attacker.
4. The Domain Name System is needed so that networked
machines can communicate with each other. Machines use a unique
IP address to identify one another much the same way a street address
is used to locate a business or home. However, people like words such
Google, Yahoo, or YouTube instead of a difficult to remember IP
address, like 67.13.142.130, which is easier for a machine to
understand. Domain name servers are used to convert names to their
corresponding IP address and vice versa
5. The DNS system is a massive database with billions of domain
names and IP addresses. The system handles billions of requests
everyday as people surf the internet, send email, a create new
websites. Even though the DNS system is distributed around the world, it
acts like a single system.
6. An attack can happen by modifying the host tables that are
stored on local computers. The host table is list of domains and IP
addresses that are used to find the correct IP address when a user
enters a domain site name. If the so-called host table name system
does not have the correct IP address stored locally then it contacts an
external DNS for the correct IP address. If an attacker is able to
compromise the entries within the host table then they can direct
websites names to any IP address they wish.
7. Another method of performing a DNS Poisoning Attack is to
target the external DNS servers themselves. External DNS servers
exchange information, including name and IP mapping, with each
other using zone transfers. Attackers can set up a DNS server with fake IP
address entries so that if the targeted DNS server accepts the zone
transfer as authentic, it will then use and distribute the fake IP address
assignments to other DNS servers
8. One way to prevent a DNS poisoning attack is to ensure
that the latest version of the DNS software, called Berkley
Internet Name Domain (BIND), is installed.
9. DNS hijacking
Unauthorized modification of a DNS server or change of DNS
address that directs users attempting to access a web page to a
different web page that looks the same, but contains extra content
such as advertisements, is a competitor page, a malware page, or third-
party search page.
10.
11. How do I know if my ISP is
hijacking me?
If you visit any fake or non-existent site,
e.g., http://www.jasdf2dfde3.com and it pulls up a search engine or a
collection of links your DNS is redirecting you.
12. How can I change my
computers DNS address?
Microsoft Windows 7 users
Click Start and then Control Panel
Click View network status and tasks
Click Change adapter settings on the left portion of the Window.
Double-click the icon for the Internet connection you're using. Often this
will be labeled "Local Area Connection" or the name of your ISP. If you
have multiple connections, make sure not to click the one with the red
X.
Click the Properties button.
Click and highlight Internet Protocol Version 4 (TCP/IPv4) and
click Properties.
If not already selected, select Use the following DNS server addresses
Enter the new DNS addresses and then click Ok and close out of all
other windows.
13. DNS hijacking vs
DNS Poisoning
In the case of DNS hijacking, your machine makes a request to an
upstream DNS provider asking "where is www.google.com" and it
responds "www.google.com is at 2.3.4.5
DNS cache poisoning is where someone else's machine sends a request
to your upstream provider asking "where is www.google.com".
When that machine requests www.google.com from its upstream
provider, the attacker then tries to "race" the DNS response. So the
poisoner effectively asks "where is www.google.com" and then throws
lots of "www.google.com is at 2.3.4.5