Understand your needs
Improve our services
Deliver personalised content
Save your preferences
Analyse visitor interactions
Your consent is voluntary – you can always change you cookie settings here.
Every time you visit a webpage, you expect your browser to take you straight there. However, it could land you in a scam site – and you might not even notice it. It happens when someone uses a DNS spoofing attack to compromise DNS records and redirect users from real websites to fake ones. Read on to know what it is, how it works, and what you can do to protect yourself from it.
Apr 20, 2020 · 5 min read
First to understand how DNS spoofing works, we need to understand what DNS servers do.
When you tell your spouse that you’re going to visit a friend, you say, “I’m going to Taylor’s,” not “I’m going to 135 Court St, West Eaton.” Similarly, all websites have domain names and IP addresses. We prefer to use the former when navigating the internet since it would be too difficult to remember numerous IP addresses of eight and more digits. DNS (Domain Name System) servers help us by converting domain names into IP addresses. Think of it as translating human language into computer language. Here’s how it works.
When you type www.nordvpn.com into your browser, it has to look up NordVPN domain’s IP address first. Your browser finds it by contacting the DNS server that stores the domain name records. The DNS server finds the IP address, sends the information back to your browser, and the page is displayed on your screen.
The server usually belongs to your ISP, but it can’t hold every IP address of every website on the internet. Local DNS servers usually only have addresses that are most used in their local network. If the DNS server has the address your browser is looking for, it will send it back right away. Otherwise, it will need to forward the inquiry to another DNS server. Once your local servers send the address to your browser, it will store the address temporarily in its cache in case you need it again.
DNS spoofing is a cyberattack used to redirect internet users to fake or malicious websites. It’s done by replacing the real IP address with another one. Hackers use these attacks to spy on people, install malware, and steal their data, like login credentials or banking information. It’s hard for victims to spot attacks as they don’t normally see what happens in the background while they browse.
Attackers use different tactics to spoof DNS addresses and redirect internet users to their fake websites. They may create copies of real websites, fill them with malware, or simply show a message that the real one was “hacked.”
It can also be used to perform DDoS attacks. If a hacker manages to replace IP addresses of multiple domains with one belonging to the website they’re targeting, all users will be redirected to it. The site won’t be able to handle so many requests and will crash.
There are three ways to spoof a DNS record:
This method is the most obvious one, but it’s also the most difficult one. Attackers need to obtain credentials from a user with access to the DNS server they want to target. To get these credentials, hackers might use various phishing techniques or keylogging malware. Once they have them, they can log in and change the records in the DNS server.
It’s a more complicated attack than cache poisoning, but has a longer lasting effect. The fake IP address will stay in the server until someone notices and changes it back. It will also spread to other DNS servers that send inquiries and will remain in their caches for a short time.
Cache poisoning is the most popular DNS spoofing tactic. It’s easier than breaking in, but the results don’t last as long. Similarly, it allows the fake IP address to spread to other DNS servers’ caches.
This is how it works. The attacker sends a query to the DNS server, asking for an IP address. The DNS server sends out a query to the nameserver, and the attacker, pretending to be an authoritative DNS nameserver, responds to it himself. Since there is no verification in place, the hacker can plant a fake IP address in the DNS servers’ cache.
Once the faulty record is there, it’s sent out to other DNS servers who have also requested it. Even though caches expire every few hours, the fake DNS entry might still spread significantly, depending on how popular the domain is.
If you’re using an unsafe connection, like public Wi-Fi, you might be vulnerable to a man-in-the-middle attack. If a hacker intercepts your connection, they’ll be able to see everything you do online and use that information against you. So, whenever your browser sends a request to a DNS server, the attacker might respond with any IP address they want.
As DNS spoofing is usually part of a larger attack scheme, the hacker will try to lead you to a fake website. These might look exactly like the real thing – popular online stores or social networks. They are used to trick people into revealing their login credentials, credit card information, and other sensitive data. If you’re not careful and don’t know how to spot a fake website, you might not even notice that something is off and unknowingly reveal your sensitive information.
Since there is no way to check whether you got a real IP address, there’s not much you can do to stop it. If it redirects you to a random page, don’t click on anything, leave immediately, and notify your ISP about the possibly compromised DNS record.
You should also use a VPN to avoid man-in-the-middle attacks. NordVPN’s Threat Protection feature will enhance your security even further by notifying you if the page you’re about to visit is known to contain malware. However, if you suspect that a webpage you were redirected to might have installed malware on your device, use an anti-malware tool to scan it.
The one thing you must look out for the most is copies of real websites. Luckily there’s more than one way to spot a fake, and once you get the hang of it you won’t be easily tricked:
Want to read more like this?
Get the latest news and tips from NordVPN