DNS Spoofing

DNS is a Domain Name System,  which has all the websites names and its corresponding IP address in its database in the form of records and are placed in a hierarichal manner in the Internet. When ever a client access a particular website say www.google.com, a request will be first sent to the Local DNS server for the ip address of that particular website. Then the DNS server checks for that particular ip address in its data base and once it finds it,  then it immediately sends a response to the client browser regarding the IP information. If it doesnot find in its database,  then it will forward the request to the top level DNS server in the hierarchy. In this way, the DNS server resolves name resolution requests coming from the clients.  

 When an entry in DNS server is modified in such a way that,  a particular website to an ip address which is not the expected one. Then the clients, whose requests are being resloved by this DNS server, may be redirected to another website than the expected one.This kind of situation occurs, when the entry is not added correctly in the DNS server or any unauthorised user has modified the DNS entries. The process of modifying the DNS entries in an unauthorised manner is known as DNS Spoofing.

DNS spoofing is mainly achieved by using the following methods.

  • DNS cache Poisioning and
  • DNS ID spoofing. 

The DNS Cache Poisioning method, can be explained with an example. Consider two DNS servers – one which is Local DNS server with domain name www.abc.com  for your organisation and the other is a comprimised DNS server with domain name www.attacker.com. The attacker adds some customised entries, which includes legitimate website names with his own relevant ip address in the compromised DNS server. After that he sends a name resolution request for the ip address information of the domain www.attacker.com to the DNS server of the domain www.abc.com. Since the DNS server, doesnt have the information in its data base, it sends response to the attacker after getting the information from the comprimised DNS Server. During this transaction period, the DNS server of www.abc.com not only recieves the ip address information of www.attacker.com but also the other records present in the DNS server in to its cache. This is normally referred to as cache poisioning. At this moment, if  a legtimate user connects  to local DNS server for name resolution he will be misguided to other website than the expected one.

 In case of DNS ID spoofing, when a name resolve request is generated by the client to send it to the DNS serever,  an ID will be generated along with the request. The client will accept the response for his request, if the ID of the response packet matches with the requested packet ID. But this way of name resolution is not secured. Because any unauthorised user can sniff the request and can create a response packet on the fly with the same id  and ip information contained in it is not the expected one. This kind of DNS attack is known as DNS ID Spoofing.  

Detecting and analysing the attacks through Intrusion Detection System

 The above alert is generated by an IDS Sensor, since it has received a DNS query response with a Time to Live value of 1 Minute. Here the TTL of value of 1 Minute will store the information in the  clinets pc cache for less period of time, so that it can eleminate the evidence of spoofed response. Also this response doesnot have Authority Record. This kind of attacks are severe as they lead the user to other site than expected. Sometimes it will lead to providing personal information by the user to a non legitimate site.

The Signature used by IDS to detect this attack is

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; metadata:policy security-ips drop, service dns; classtype:bad-unknown; sid:254; rev:7;)

Here the signature tell the IDS sensor to generate an alert, when  a UDP packet from Internet with source port as 53, reaches any system in the internal network with the following content in the packet   81 80 00 01 00 01 00 00 00 00 and  C0 0C 00 01 00 01 00 00 00|<|00 04. This alert is displayed with  a classtype  bad-unknown.

Tips for Preventing DNS Spoofing

  • Maintain the DNS software Up-to-Date.
  • Allow updates and zone transfers from trusted sources.
  • Maintain a Separate DNS server for public services and for internal services.
  • Use secure key for signing the updates recieved from other DNS server. This will  avoid updates from untrusted sources.

References: http://www.snort.org


Centre for Development of Advanced Computing, (C-DAC)
Plot No. 6 & 7, Hardware Park, Sy No. 1/1, Srisailam Highway, Pahadi Shareef Via Keshavagiri (Post) Hyderabad - 500005


Phone: 040-23737124/25
Mobile: 040-23737124/25


1800 425 6235

Email Address